Closed Bug 164842 Opened 22 years ago Closed 11 years ago

Improper plugin tmp dir name on Linux

Categories

(Core Graveyard :: Plug-ins, defect, P3)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.5alpha

People

(Reporter: tenthumbs, Unassigned)

Details

(Whiteboard: [PL2:NA]) 

In nsPluginHostImpl.cpp at line 186 there is

#define kPluginTmpDirName NS_LITERAL_CSTRING("plugtmp")

and it's used at around line 2040. On Linux mozilla creates a /tmp/plugtmp.
That's wrong for a multi-user OS. You need a unique name for every user.

Also mozilla tries to give this directory 0777 permissions. That's a huge
security/privacy hole particularly since the code says https download are stored
there.
we have this dir on our multi user environment here with
10+ users on the same machine. The /tmp/plugtmp dir exists
and is 0755 (masked probably by the users umask). Doesn't
seem to affect anything since it's probably silently 
ignored if mkdir() fails for another user, and also it's
completely empty - no https stuff there. 

Maybe it's just an artifact and is just dead code. Maybe
a candidate for code cleanup operations ?
assigning to Anthony for verification
Assignee: beppe → anthonyd
Priority: -- → P3
Whiteboard: [PL2:NA]
Target Milestone: --- → mozilla1.2alpha
IMHO directory with 0777 mode is fine, the files suppose to have 0600 mode.
it's the same in case of security concern
if we'll create /tmp/plugintmp/<user with 0600 mode>/file_owned_by_user
or /tmp/plugintmp/file_owned_by_user_with_0600_mode

after talking with serge he says we at least have to change the file permissions
to 0600 for this bug, and we also need input from mstoltz our security guru
about this issue.

<ping> mstoltz
You need 0700 for a directory and 0600 for files in that directory. If a 
random user has r+x permission on a directory then he may be able to 
hard link to a file there.

I know the code's been there for quite a while but I've only seen the 
directory recently. Did something change?
the code's been in since 2001-11-06, when fix for bug 104859 was checked in.
Then something else changed. Mozilla never created /tmp/plugtmp back 
then. I pay attention to this sort of stuff.
if a directory has 0777 permissions, any user can write to the directory and any
user can delete files from the directory, regarless of the ownership or 
permissions of the files themselves

currently, the directory needs 0777 permissions because it is not unique (per user)
Yes, this seems kind of bad - if this directory holds temporary data from
plugins then it should probably be accessible only to that user. Is it feasible
to create a new temp dir for each user, with the most restrictive permissions
possible? (0700 for the dir and 0600 for the files sounds good.) I'm no Unix
wizard, but maybe there's a shortcut call for creating per-user temp directories?
Okay, I guess I was hoping someone would tell (and I am not a unix guy at all)
what I need to do here to fix this.  please?
Status: NEW → ASSIGNED
I guess to be mroe specific, could a unix guru tell me which solution mentioned
here is the correct or most correct one, or do I need another solution entirely?
I think comment 3a is probably the best solution:

/tmp/plugintmp/<user with 0600 mode>/file_owned_by_user

except that should be 0700, right?

/tmp/plugin_user/file_owned_by_user
would also work.  again, "plugin_user" should be mode 0700, read/write/execute,
but only for that user.
Each mozilla process needs to use unique names. You can't share.

If mozilla uses /tmp/plugindir/<anything> then /tmp/plugindir will be owned
by precisely one user and that user can probably delete /tmp/plugindir and
everything beneath it. At the very least that user can rename the directory.
What will mozilla do if the paths it knows about are suddenly invalid? This
is not just one user shooting himself in the foot. All active mozillas
belonging to other users will be affected.

Also, using a shared name means that it is possible for the directory to
exist for extended periods. Many systems will periodically reap the temp
dirs. You want to avoid giving such jobs the chance to delete every
mozilla's files.

I make no claims to be a unix guru but I do know a few things.

There are many unix horror stories about what can befall the unwary when
creating temp files. Most of them are true. There are many nasty surprises
possible. Luckily mozilla wants to create a directory which is easier
because directory semantics are more restrictive than regular files.

A few platforms offer a mkdtemp function which does exactly what you want.
Unfortunately it's not widely available, even within the same platform; e.g.
Redhat 7 has it but RH6 does not. That means that you have to roll your own
and that means using some variation of looping over creating a unique name,
checking if it already exists, and creating the directory. That's usually
tempnam + mkdir. There are lots of not-so-unique tempnam's out there so
there are warnings about using it as well as any other such functions. See
the man pages.

It may be better to do it yourself. You need to do three things:
1) choose a parent directory. If you want a system temp one then it's common
to use the TMPDIR environment variable first (provided you're not a suid
process), then the P_tmpdir from stdio.h, then /tmp.
2) create a reasonably unique name. That shouldn't be too difficult for
mozilla.
3) try to create a directory in the parent dir with the unique name.
If something goes wrong loop over the steps for some reasonable number of
times.

You really should get together with the bug 124307 people who have similar
needs. There are also bugs about mozilla not supporting TMPDIR. They all
should be addressed the same way.

This may be harder to do than it should be in mozilla because mozilla wants
to use nspr and nspr offers only a limited subset of the system functions
you need.

If you want to see a working model look at lynx. It does exactly the same
thing and it's been around a while so most of the rough edges have been
smoothed out.

BTW, note that 4.x uses nscomm40_<username> which is a start but 4.x can get
confused if that name already exists but is owned by another user.
handing over to serge and putting into 1.3 beta
Assignee: anthonyd → serge
Status: ASSIGNED → NEW
Target Milestone: mozilla1.2alpha → mozilla1.3beta
BTW, look at bug 181146.
-->peterl
Assignee: serge → peterlubczynski
QA Contact: shrir → bmartin
Target Milestone: mozilla1.3beta → mozilla1.5alpha
Any updates for this bug after no comments for ~6 years? Even the QA Contact of this bug is a non-existent address. This bug probably has security implications, but still it has been ignored for such a long time.

I think the proper solution would be to use mkstemp("/var/tmp/mozplug.XXXXXX") for each downloaded file, or mkdtemp("/var/tmp/mozplug.XXXXXX") per session.
QA Contact: bmartin → plugins
We have had files stored into unique temp directories with mode 0700 for a while now (see nsPluginHost::GetPluginTempDir()).
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Assignee: peterlubczynski-bugs → nobody
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.