[security] Unsafe handling of temporary files when using external editor

[carnil]

Hi

Looking at the code it looks that when using external editor nodau handles temporary files in unsafe way due to using /tmp/nodau.$time containing unix time. This might lead to overwrite of files owned by a user or even disclosure of information (e.g. a user editing (encrypting) notes).

(Note: For easy reproducing you need to set fs.protected_symlinks=0 on recent Linux kernels[0].)

https://github.com/darkrose/nodau/blob/master/src/edit.c#L159

1. Evil user creates a world writable file in e.g. /tmp and then creates lots of symlinks /tmp/nodau.$timestamps (with timestamps in future) to this file.
2. regular user now creates with nodau encrypt testnote a new note.
3. Evil user now has access to secret note in /tmp/worldwritable after user has saved the file in editor (nodau prompts that the file get's saved

Another usecase would be that if evil user knows the filename writable by the user can make the user overwrite it with note content.

Furthermore in the case how it is implemented right now, depending on the umask of the user editing a note and having the editor open, every other user might read the temporary file during the user having the editor open.

nodau should not use /tmp in unsafe way. Kurt Seifried from Red Hat Security Response Team wrote a nice blog entry describing how to create safely files in various programming languages[1].

[0] https://lwn.net/Articles/503660/
[1] http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/

Regards,
Salvatore

[TicklishHoneyBee]

Salvatore,

when you get a chance, could you let me know if the changes fix this? I'm not 100% sure it does.

Ta

[carnil]

Hi Lisa

Looks good, using mkstemp.

Regards,
Salvatore