improve temp dir security

http://bugs.debian.org/807341 * Fix insecure temporary permissions when git-annex repair is used in in a corrupted git repository. Other calls to withTmpDir didn't leak any potentially private data, but repair clones the git repository to a temp directory which is made using the user's umask. Thus, it might expose a git repo that is otherwise locked down. * Fix potential denial of service attack when creating temp dirs. Since withTmpDir used easily predictable temporary directory names, an attacker could create foo.0, foo.1, etc and as long as it managed to keep ahead of it, could prevent it from ever returning. I'd rate this as a low utility DOS attack. Most attackers in a position to do this could just fill up the disk /tmp is on to prevent anything from writing temp files. And few parts of git-annex use withTmpDir anyway, so DOS potential is quite low. Examined all callers of withTmpDir and satisfied myself that switching to mkdtmp and so getting a mode 700 temp dir wouldn't break any of them. Note that withTmpDirIn continues to not force temp dir to 700. But it's only used for temp directories inside .git/annex/wherever/ so that is not a problem. Also re-audited all other uses of temp files and dirs in git-annex.
2015-12-15 20:20:37 -04:00 · 2015-12-15 20:20:37 -04:00 · 96dd0f4ebe
commit 96dd0f4ebe
parent 04e00146ed
2 changed files with 32 additions and 14 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -5,6 +5,9 @@ git-annex (5.20151209) UNRELEASED; urgency=medium
    The empty file it was sending tickled bugs in some php WebDAV server.
  * fsck: Failed to honor annex.diskreserve when checking a remote.
  * Debian: Build depend on concurrent-output.
+  * Fix insecure temporary permissions when git-annex repair is used in
+    in a corrupted git repository.
+  * Fix potential denial of service attack when creating temp dirs.

 -- Joey Hess <id@joeyh.name>  Thu, 10 Dec 2015 11:39:34 -0400