Insecure temp file creation #95
Comments
|
The log directory is already changed in packages (RPM/Debian). It could indeed be changed in the source code. |
|
This requires changes in bin/lsc and logback.xml |
|
Packaging files must also be updated |
|
In debian lsc packages, I have not found in reference to tmp directory in |
|
Proposed solution: create a randon tmp dir ( |
|
Not so easy. LOG_DIR in bin/lsc is used only for logging start and end of lsc run. The main problem is to fix logback.xml: I am working on this. |
davidcoutadeur
pushed a commit
that referenced
this issue
Oct 19, 2023
|
Done in 77ff84b |
davidcoutadeur
pushed a commit
that referenced
this issue
Oct 20, 2023
davidcoutadeur
pushed a commit
that referenced
this issue
May 15, 2024
davidcoutadeur
pushed a commit
that referenced
this issue
May 16, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The sample configuration and scripts write many files to /tmp, as can be seen with fgrep -r /etc lsc. In particular bin/lsc and and etc/logback.xml, which are probably used unchanged by many users following the instructions on the website. These temporary files have known, fixed names. This is insecure and can lead to information disclosure or overwriting of files by another user on the system. See e.g. https://cwe.mitre.org/data/definitions/377.html
I suggest defaulting to writing logs to LSC_HOME, and using a secure method for creating temporary files and directories.
The text was updated successfully, but these errors were encountered: