[Nagiosplug-devel] tip for plugin development and temp files

Leif Nixon nixon at nsc.liu.se
Mon Jan 2 22:12:38 CET 2012


Matthieu Fournet <fournet.matthieu at gmail.com> writes:

> So my advice would be to name temp files like :
>
> tmp_[plugin_name]_[timestamp]

If we are talking about files under /tmp, or any other location which is
world-writable, this is a very bad idea, as it opens you up to symlink
attacks.

See e.g.

  https://www.securecoding.cert.org/confluence/display/seccode/FIO43-C.+Do+not+create+temporary+files+in+shared+directories

for more details.

-- 
Leif Nixon - Security officer
National Supercomputer Centre - Swedish National Infrastructure for Computing
Nordic Data Grid Facility - European Grid Infrastructure




More information about the Devel mailing list