Add doc on Unix temporary file security practice #70585
- Loading branch information
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,10 +1,10 @@ | ||
|
|
||
| # Unix temporary files | ||
|
Member
There was a problem hiding this comment. I don't have a Mac to experiment with. Does anything in here differ for Mac? It seems that Macs support ACLs as well, and in some circumstances they are used in Linux as well. Should we include guidance for those? (@tmds)
Member
There was a problem hiding this comment. My expectation is that mac will be similar to Linux: /tmp has the sticky bit, and a umask of at least 002.
Member
There was a problem hiding this comment. Are ACL's relevant to many Linux users, enough that (in theory) we should set them if available? Or are they mainly for special purposes.
Member
Author
There was a problem hiding this comment. Mac has its own restrictions, and doesn't necessarily have a shared temp directory. Just in case, the above should probably be followed, but it may not be necessary, depending on the configuration. |
||
|
|
||
| The Unix support for temporary files is different from the Windows model and developers who | ||
|
Member
There was a problem hiding this comment. This should explicitly state that the guidance applies to not just files but anything file-like. The .NET diagnostics tools use FIFO/sockets in temp IIRC.
Member
Author
There was a problem hiding this comment. Unix domain sockets have different restrictions, and don't necessarily follow this guidance. |
||
| are used to Windows may inadvertantly create security risk if they use the same practices on Unix. | ||
agocke marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| Most notably, the Windows model for temporary files is that the operating system provides each user with a *unique*, *user-owned* temporary directory. | ||
| Moreover, all Windows users, including the service and system users, have designated user folders, including temporary folders. | ||
|
|
||
| The Unix model is very different. The temp directory, assuming there is one, is often a global folder (except on MacOS). | ||
|
|
@@ -42,4 +42,4 @@ multiple processes. Some considerations: | |
|
|
||
| - There is no automatic cleanup in user folders. Files will remain permanently or require cleanup by the app | ||
| - Some environments do not have user home folders (e.g., systemd). Consider providing an environment variable | ||
|
Member
There was a problem hiding this comment. Maybe also worth mentioning:
Member
There was a problem hiding this comment. Some interesting requirements there, including that files not survive reboot. It might be worth specifying here that we should not expect our temp files to survive reboot, but we should not expect them to be cleaned up by reboot either. |
||
| to override the location of the temporary folder, and provide user documentation for this variable. | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be reasonable to expand the scope a little to cover "Unix file and directory permissions" in general? Whereever we write a file, we should set minimum permissions on it. And we would have the same guidance that there should be no perms for group and world unless they are required.