Nelson's log

Am I crazy? Modern Unix security

This Python library I’m using (deliberately left nameless, not well known) has what I think is a security problem. It takes a password and generates a login token. It then writes that login token to a file in /tmp. A world readable file. That token can then be used by anyone with access to the Unix system to impersonate the user. That seems bad.

What’s baffling me is I reported the bug and the author of the code and other users of the library don’t see the problem. “If someone can read files on your computer you’re screwed anyway.” I think they’re wrong, but maybe this is just me being old?

I grew up in the era of shared Unix systems. We regularly had 40 people all logged into one machine, so of course file permissions mattered. But modern Unix systems are generally single user. Single application, for that matter. And the rise of VM and container technology makes that doubly so. So maybe it doesn’t really matter?

Of course it matters. And it’s easy enough to fix; just make the file private. Although.. Doing that correctly in Python is remarkably complicated. You can’t just create the file and then chmod it, because that creates a race condition where the file is briefly world readable. I think setting umask is better, but that’s per-process state so you can’t really do that in a thread safe manner without locking. with a file mode is also a possibility but complicated because you’re dealing with file descriptors. The tempfile package in Python does this nicely, but unfortunately I can’t use it because I need a persistent file. tempfile’s code is remarkably complex!