Users login

Create an account »


Users login

Home » Hacking News » S-plus /tmp usage

S-plus /tmp usage

by Nikola Strahija on January 8th, 2003 As installed on UNIX machines, Splus uses files in /tmp in an unsafe way.

S-PLUS is a Statistical analysis, graphics and programming tool


As installed on UNIX machines, Splus uses files in /tmp in an unsafe way.


The main Sqpe binary, and various shell script modules, use files in /tmp:

Clobbers /tmp/__F$$:
open("/tmp/__F8499", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

Clobbers /tmp/PRINT.$$.out

Clobbers /tmp/SUBST$PID.TXT /tmp/ed.cmds$PID

May clobber and use /tmp/file.1 /tmp/file.2

May clobber and use /tmp/file.1

Clobbers /tmp/sgml2html$$tmp /tmp/sgml2html$$tmp1 /tmp/sgml2html$$tmp2

Suppose an attacker creates a symlink from any of the "clobbered" files to
one owned by the victim: guesses the PID that will be used, does

ln -s ~victim/.profile /tmp/__F123

and waits for the victim to use Splus, then the victim's .profile will be
trashed. Some or all of these attacks may then be escalated to arbitrary
command execution; if root ever uses Splus then the damage is much greater.

It might be argued that it is hard to guess what PID will be used next.
It is easy enough to create a few thousand symlinks with likely PIDs; in
fact the attacker could create a symlink for every possible PID (as these
normally range from 0 to 32k or 64k).


5 Dec 2002 StatSci/Insightful notified about shell scripts
9 Dec 2002 Insightful notified about Sqpe
11 Dec 2002 We are currently investigating
17 Dec 2002 continuing to look into your queries
18 Dec 2002 anticipate tmpfile() ... in the next release
26 Dec 2002 Another list might be


The scripts could be patched trivially using one of the textbook methods,
e.g. using a safe directory:
mkdir -m 700 /tmp/mydir$$ || exit 1
... do things to /tmp/mydir$$/myfile ...
rm -rf /tmp/mydir$$

Fixing Sqpe is harder. Could (safely) pre-create /tmp/__F$$ e.g.:

*** splus/6.0/cmd/NEW.old Tue Oct 10 16:06:37 2000
--- splus/6.0/cmd/NEW Tue Dec 24 09:15:59 2002
*** 9,13 ****
--- 9,19 ----
echo $target not found; exit 1
+ set -e
+ umask 077
+ mkdir /tmp/F$$
+ touch /tmp/F$$/__F$$
+ mv -i /tmp/F$$/__F$$ /tmp + rmdir /tmp/F$$
exec $target

but Sqpe would still be open to races as it repeatedly open()s and
unlink()s that file. A proper fix will have to come from the vendor.


Paul Szabo - [email protected]
School of Mathematics and Statistics University of Sydney 2006 Australia

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »