Re: [Libreoffice] [PATCH] Simplify a function returning the temporary directory name

On Wed, 2011-07-13 at 18:48 +0200, Francois Tigeot wrote:
> On Wed, Jul 13, 2011 at 09:16:33AM -0600, Tor Lillqvist wrote: > Do we
>  really want to have those access() checks there? > > I am not evil
>  enough to think of a way to abuse that code (insert maniacal
>  laughter), but in general, isn't that exactly the kind of coding that
>  could be a security vulnerability? (TOCTTOU seems to be the technical
>  term, http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use )
>
> These were added by Caolán; I've no strong feeling about them.
>
> Caolán, is there a special reason you added the access() checks ?

Yes, so that you don't end up using a tmp dir you're not able to write
to and probably fall over and die.

Re TOCTTOU, if someone has the power to replace your $TMPDIR then I
think you're doomed anyway.

But sure, 
a) looking around at various apps and libs and what they do, a
sufficient number of them just getenv for $TMPDIR and if not set then
use /tmp with no precheck that $TMPDIR is writable that there's no real
point us attempting any check either given that we're at the top of a
stack of things that will fail with an unwriteable $TMPDIR.
b) it's probably indeed better to generally bail our early with epic
failure if the TMPDIR isn't writable rather than let it run and use a
shared /tmp in the face of an explicit attempt-gone-wrong to avoid using
a shared /tmp

yeah, drop the access and let the callers handle later failure if it
happens, happen anyway on a full partition.

C.