Bug 112516 - zip creates insecure temporary files
zip creates insecure temporary files
Product: Red Hat Linux
Classification: Retired
Component: zip (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Lon Hohberger
Ben Levenson
: Security
Depends On:
  Show dependency treegraph
Reported: 2003-12-21 19:40 EST by Need Real Name
Modified: 2007-04-18 13:00 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-04-19 10:21:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Change umask prior to temporary file creation (856 bytes, patch)
2003-12-22 09:42 EST, Lon Hohberger
no flags Details | Diff

  None (edit)
Description Need Real Name 2003-12-21 19:40:19 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5)
Gecko/20031007 Firebird/0.7

Description of problem:

zip can be used with the -t switch to specify a location for the
temporary file it creates.

The man page gives the following example:
 -b path
   Use the specified path for the temporary zip archive. For  example:
     zip -b /tmp stuff *

Unfortunately, zip creates a temporary file with world readable
 [not-root@host dir]$ ls -trlah /tmp/
 -rw-r--r--    1 root     root         219M Dec 22 00:40 ziK2Os4N

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. zip -b /tmp/ -r something.zip folder/
2. ls -trlah /tmp/

Additional info:
Comment 1 Lon Hohberger 2003-12-22 09:42:19 EST
Created attachment 96665 [details]
Change umask prior to temporary file creation

The files are created with the umask from the user's environment.

e.g.  Typing "umask 0066" at the command line will alter this and all other
programs' file creation behavior.

I will include this fix for temporary file creation in the next build in
Comment 2 Lon Hohberger 2003-12-22 09:44:11 EST
Package built; will appear in rawhide (zip-2.3-19) - waiting for
rawhide push prior to closing.
Comment 3 Need Real Name 2004-04-19 10:21:57 EDT
zip-2.3-20 is in rawhide. Closing.

Note You need to log in before you can comment on or make changes to this bug.