This patches replace all uses of the (potentially insecure) mktemp(3) with a much safer tmpfile(3). --- src/config.parse.c Wed Jul 20 21:03:26 1994 +++ src/config.parse.c Wed May 17 17:30:22 2000 @@ -55,7 +55,6 @@ #endif /* prototypes */ -char *mktemp(); static void configfile_descend(); #ifndef L_tmpnam @@ -86,7 +85,6 @@ char ignorestring[1024]; char s[MAXPATHLEN+1024]; char configfile[MAXPATHLEN+512]; - char *tmpfilename; char number[128]; int entrynum = 0; int err; @@ -98,18 +96,6 @@ if (!printpreprocess && !quietmode) fputs("### Phase 1: Reading configuration file\n", stderr); - /* generate temporary file name */ - if ((tmpfilename = (char *) malloc(L_tmpnam + MAXPATHLEN)) == NULL) { - perror("configfile_read: malloc()"); - exit(1); - }; - (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); - - if ((char *) mktemp(tmpfilename) == NULL) { - perror("configfile_read: mktemp()"); - exit(1); - } - /* generate configuration file name */ if (specified_configmode != SPECIFIED_FILE) sprintf(configfile, "%s/%s", config_path, config_file); @@ -149,25 +135,17 @@ err = umask(077); /* to protect the tempfile */ - if ((fpout = fopen(tmpfilename, "w+")) == NULL) { - sprintf(s, "tripwire: Couldn't open config file '%s'", configfile); - perror(s); - exit(1); - } - (void) umask(err); /* return it to its former state */ - - /* The following unlink accomplishes two things: + /* The use of tmpfile(3) accomplishes two things: * 1) if the program terminates, we won't leave a temp * file sitting around with potentially sensitive names * in it. * 2) the file is "hidden" while we run */ - if (unlink(tmpfilename) < 0) { - perror("configfile_read: unlink()"); + if ((fpout = tmpfile()) == NULL) { + perror("tmpfile"); exit(1); } - free(tmpfilename); - + (void) umask(err); /* return it to its former state */ /* * pass 0: preprocess file --- src/dbase.build.c Mon Jul 25 11:24:09 1994 +++ src/dbase.build.c Wed May 17 18:22:14 2000 @@ -66,7 +66,6 @@ int files_scanned_num = 0; /* prototypes */ -char *mktemp(); static void database_record_write(); char backupfile[MAXPATHLEN+256]; @@ -125,17 +124,7 @@ /* where do we write the new database? */ if (mode == DBASE_TEMPORARY) { - char *tmpfilename = (char *) malloc(strlen(TEMPFILE_TEMPLATE)+1); - if (tmpfilename == NULL) - die_with_err("malloc() failed in database_build", (char *) NULL); - (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); - - if ((char *) mktemp(tmpfilename) == NULL) - die_with_err("database_build: mktemp()", (char *) NULL); - - (void) strcpy(tempdatabase_file, tmpfilename); - (void) strcpy(database, tempdatabase_file); - free(tmpfilename); + /* do nothing */ } /* end if temporary database */ else if (mode == DBASE_UPDATE) { sprintf(database, "./databases/%s", database_file); @@ -224,6 +213,12 @@ } /* rebuild the database */ + if (mode == DBASE_TEMPORARY) { + fpw = tmpfile(); + if (fpw == NULL) + die_with_err("call tmpfile(3) failed. Check your TMPDIR setting", + NULL); + } else if ((fpw = fopen(database, "w")) == NULL) die_with_err("Hint: Maybe the database directory '%s' doesn't exist? fopen()", database); @@ -369,6 +364,6 @@ - /* we don't want to allow anyone to spoof the temporary file in /tmp */ + /* if the database was temporary, the file was opened by tmpfile(3) -- + as such, it can not be accessed by anything but this process */ if (mode == DBASE_TEMPORARY) { - if ((fptempdbase = freopen(database, "r", fpw)) == NULL) - die_with_err("temporary database file disappeared?!?", database); + fptempdbase = fpw; rewind(fptempdbase); --- src/main.c Fri Aug 26 04:23:03 1994 +++ src/main.c Wed May 17 18:01:00 2000 @@ -108,7 +108,6 @@ char *database_path = DATABASE_PATH; char *config_path = CONFIG_PATH; -char tempdatabase_file[MAXPATHLEN+256]; FILE *fptempdbase; char *defaultignore = DEFAULTIGNORE; --- src/preen.c Mon Jul 25 11:24:11 1994 +++ src/preen.c Wed May 17 18:22:22 2000 @@ -37,7 +37,6 @@ static int numentriesread = 0; /* running count of @@contents */ /* prototypes */ -char *mktemp(); static void olddbasefile_load(); char *updatemodes[] = { @@ -97,9 +96,6 @@ preen_report(interactive, ppp_updateentries); if (!specified_configmode) (void) fclose(fp_in); - - /* remove the temporary database file */ - (void) unlink(tempdatabase_file); SPDEBUG(3) printf("*** leaving update_gather()\n"); --- src/siggen.c Mon Jul 25 11:24:12 1994 +++ src/siggen.c Wed May 17 18:36:51 2000 @@ -52,7 +52,6 @@ extern int optind; int debuglevel = 0; -char *mktemp(); int (*pf_signatures [NUM_SIGS]) () = { SIG0FUNC, @@ -84,7 +83,6 @@ }; int verbosity = 0; int quietmode = 0; -char *tmpfilename = NULL; int readstdin = 0; @@ -167,19 +167,6 @@ FILE *fpout; - /* generate temporary file name */ - if ((tmpfilename = (char *) malloc(L_tmpnam + MAXPATHLEN)) == NULL) { - perror("main: malloc()"); - exit(1); - }; - (void) strcpy(tmpfilename, "/tmp/twzXXXXXX"); - - if ((char *) mktemp(tmpfilename) == NULL) { - perror("siggen: mktemp()"); - exit(1); - } /* output */ - if (!(fpout = fopen(tmpfilename, "w"))) { - char err[1024]; - sprintf(err, "main: fopen(%s)", tmpfilename); - perror(err); + if (!(fpout = tmpfile())) { + perror("tmpfile()"); exit(1); @@ -189,12 +176,6 @@ putc(c, fpout); - fclose(fpout); - if ((fd = open(tmpfilename, O_RDONLY)) < 0) { - perror("siggen: open"); - exit(1); - } - if (siggen(fd) < 0) + rewind(fpout); + if (siggen(fileno(fpout)) < 0) errors++; - if (fd) - close(fd); + close(fd); - unlink(tmpfilename); --- src/utils.c Mon Jul 25 12:23:16 1994 +++ src/utils.c Wed May 17 18:21:38 2000 @@ -785,23 +785,15 @@ int fd_tempfilename_generate() { - char tmp[MAXPATHLEN+256]; - int fd; + FILE *tmp; - (void) strcpy(tmp, TEMPFILE_TEMPLATE); - if ((char *) mktemp(tmp) == NULL) { - perror("tempfilename_generate: mktemp()"); + tmp = tmpfile(); + if (tmp == NULL) { + perror("tempfilename_generate: tmpfile()"); exit(1); } - if ((fd = open(tmp, O_RDWR | O_CREAT, 0600)) < 0) { - perror("tempfilename_generate: open()"); - exit(1); - } - /* unlink right away to make sure no one can tamper with our file */ - unlink(tmp); - - return fd; + return fileno(tmp); } /*