This patches replace all uses of the (potentially insecure) mktemp(3)
with a much safer tmpfile(3).
--- src/config.parse.c Wed Jul 20 21:03:26 1994
+++ src/config.parse.c Wed May 17 17:30:22 2000
@@ -55,7 +55,6 @@
#endif
/* prototypes */
-char *mktemp();
static void configfile_descend();
#ifndef L_tmpnam
@@ -86,7 +85,6 @@
char ignorestring[1024];
char s[MAXPATHLEN+1024];
char configfile[MAXPATHLEN+512];
- char *tmpfilename;
char number[128];
int entrynum = 0;
int err;
@@ -98,18 +96,6 @@
if (!printpreprocess && !quietmode)
fputs("### Phase 1: Reading configuration file\n", stderr);
- /* generate temporary file name */
- if ((tmpfilename = (char *) malloc(L_tmpnam + MAXPATHLEN)) == NULL) {
- perror("configfile_read: malloc()");
- exit(1);
- };
- (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE);
-
- if ((char *) mktemp(tmpfilename) == NULL) {
- perror("configfile_read: mktemp()");
- exit(1);
- }
-
/* generate configuration file name */
if (specified_configmode != SPECIFIED_FILE)
sprintf(configfile, "%s/%s", config_path, config_file);
@@ -149,25 +135,17 @@
err = umask(077); /* to protect the tempfile */
- if ((fpout = fopen(tmpfilename, "w+")) == NULL) {
- sprintf(s, "tripwire: Couldn't open config file '%s'", configfile);
- perror(s);
- exit(1);
- }
- (void) umask(err); /* return it to its former state */
-
- /* The following unlink accomplishes two things:
+ /* The use of tmpfile(3) accomplishes two things:
* 1) if the program terminates, we won't leave a temp
* file sitting around with potentially sensitive names
* in it.
* 2) the file is "hidden" while we run
*/
- if (unlink(tmpfilename) < 0) {
- perror("configfile_read: unlink()");
+ if ((fpout = tmpfile()) == NULL) {
+ perror("tmpfile");
exit(1);
}
- free(tmpfilename);
-
+ (void) umask(err); /* return it to its former state */
/*
* pass 0: preprocess file
--- src/dbase.build.c Mon Jul 25 11:24:09 1994
+++ src/dbase.build.c Wed May 17 18:22:14 2000
@@ -66,7 +66,6 @@
int files_scanned_num = 0;
/* prototypes */
-char *mktemp();
static void database_record_write();
char backupfile[MAXPATHLEN+256];
@@ -125,17 +124,7 @@
/* where do we write the new database? */
if (mode == DBASE_TEMPORARY) {
- char *tmpfilename = (char *) malloc(strlen(TEMPFILE_TEMPLATE)+1);
- if (tmpfilename == NULL)
- die_with_err("malloc() failed in database_build", (char *) NULL);
- (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE);
-
- if ((char *) mktemp(tmpfilename) == NULL)
- die_with_err("database_build: mktemp()", (char *) NULL);
-
- (void) strcpy(tempdatabase_file, tmpfilename);
- (void) strcpy(database, tempdatabase_file);
- free(tmpfilename);
+ /* do nothing */
} /* end if temporary database */
else if (mode == DBASE_UPDATE) {
sprintf(database, "./databases/%s", database_file);
@@ -224,6 +213,12 @@
}
/* rebuild the database */
+ if (mode == DBASE_TEMPORARY) {
+ fpw = tmpfile();
+ if (fpw == NULL)
+ die_with_err("call tmpfile(3) failed. Check your TMPDIR setting",
+ NULL);
+ } else
if ((fpw = fopen(database, "w")) == NULL)
die_with_err("Hint: Maybe the database directory '%s' doesn't exist? fopen()", database);
@@ -369,6 +364,6 @@
- /* we don't want to allow anyone to spoof the temporary file in /tmp */
+ /* if the database was temporary, the file was opened by tmpfile(3) --
+ as such, it can not be accessed by anything but this process */
if (mode == DBASE_TEMPORARY) {
- if ((fptempdbase = freopen(database, "r", fpw)) == NULL)
- die_with_err("temporary database file disappeared?!?", database);
+ fptempdbase = fpw;
rewind(fptempdbase);
--- src/main.c Fri Aug 26 04:23:03 1994
+++ src/main.c Wed May 17 18:01:00 2000
@@ -108,7 +108,6 @@
char *database_path = DATABASE_PATH;
char *config_path = CONFIG_PATH;
-char tempdatabase_file[MAXPATHLEN+256];
FILE *fptempdbase;
char *defaultignore = DEFAULTIGNORE;
--- src/preen.c Mon Jul 25 11:24:11 1994
+++ src/preen.c Wed May 17 18:22:22 2000
@@ -37,7 +37,6 @@
static int numentriesread = 0; /* running count of @@contents */
/* prototypes */
-char *mktemp();
static void olddbasefile_load();
char *updatemodes[] = {
@@ -97,9 +96,6 @@
preen_report(interactive, ppp_updateentries);
if (!specified_configmode)
(void) fclose(fp_in);
-
- /* remove the temporary database file */
- (void) unlink(tempdatabase_file);
SPDEBUG(3) printf("*** leaving update_gather()\n");
--- src/siggen.c Mon Jul 25 11:24:12 1994
+++ src/siggen.c Wed May 17 18:36:51 2000
@@ -52,7 +52,6 @@
extern int optind;
int debuglevel = 0;
-char *mktemp();
int (*pf_signatures [NUM_SIGS]) () = {
SIG0FUNC,
@@ -84,7 +83,6 @@
};
int verbosity = 0;
int quietmode = 0;
-char *tmpfilename = NULL;
int readstdin = 0;
@@ -167,19 +167,6 @@
FILE *fpout;
- /* generate temporary file name */
- if ((tmpfilename = (char *) malloc(L_tmpnam + MAXPATHLEN)) == NULL) {
- perror("main: malloc()");
- exit(1);
- };
- (void) strcpy(tmpfilename, "/tmp/twzXXXXXX");
-
- if ((char *) mktemp(tmpfilename) == NULL) {
- perror("siggen: mktemp()");
- exit(1);
- }
/* output */
- if (!(fpout = fopen(tmpfilename, "w"))) {
- char err[1024];
- sprintf(err, "main: fopen(%s)", tmpfilename);
- perror(err);
+ if (!(fpout = tmpfile())) {
+ perror("tmpfile()");
exit(1);
@@ -189,12 +176,6 @@
putc(c, fpout);
- fclose(fpout);
- if ((fd = open(tmpfilename, O_RDONLY)) < 0) {
- perror("siggen: open");
- exit(1);
- }
- if (siggen(fd) < 0)
+ rewind(fpout);
+ if (siggen(fileno(fpout)) < 0)
errors++;
- if (fd)
- close(fd);
+ close(fd);
- unlink(tmpfilename);
--- src/utils.c Mon Jul 25 12:23:16 1994
+++ src/utils.c Wed May 17 18:21:38 2000
@@ -785,23 +785,15 @@
int
fd_tempfilename_generate()
{
- char tmp[MAXPATHLEN+256];
- int fd;
+ FILE *tmp;
- (void) strcpy(tmp, TEMPFILE_TEMPLATE);
- if ((char *) mktemp(tmp) == NULL) {
- perror("tempfilename_generate: mktemp()");
+ tmp = tmpfile();
+ if (tmp == NULL) {
+ perror("tempfilename_generate: tmpfile()");
exit(1);
}
- if ((fd = open(tmp, O_RDWR | O_CREAT, 0600)) < 0) {
- perror("tempfilename_generate: open()");
- exit(1);
- }
- /* unlink right away to make sure no one can tamper with our file */
- unlink(tmp);
-
- return fd;
+ return fileno(tmp);
}
/*