[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#278283: insecure temporary file usage in gettextize and autopoin

From: Alexandre Duret-Lutz
Subject: Re: Bug#278283: insecure temporary file usage in gettextize and autopoint (fwd)
Date: Tue, 26 Oct 2004 17:11:20 +0200

On Tue, Oct 26, 2004 at 03:40:46PM +0200, Bruno Haible wrote:
> Aha! So you mean to say, the only way to securely create a file using usual
> shell script constructs like
>    filename=`command to compute a temp filename`
>    echo "some contents" > $filename
> is to make filename sit in a temporary directory under /tmp, not directly
> in /tmp ?

I don't know, but that's what I would do anyway.

Something like

   set -C
   umask 077
   echo "some contents" > $filename && ...

seems to work with my shell, but you can google reports about "set -C"
not being portable.  Also reading Posix it's not clear to me whether this
is really expected to fail when $filename is a symlink.

> > {
> >   tmp=`(umask 077 && mktemp -d -q "$TMPDIR/fooXXXXXX") 2>/dev/null` &&
> >   test -n "$tmp" && test -d "$tmp"
> > }  ||
> > {
> >   tmp=$TMPDIR/foo$$-$RANDOM
> >   (umask 077 && mkdir $tmp)
> > } ||
> > {
> >    echo "$me: cannot create a temporary directory in $TMPDIR" >&2
> >    { (exit 1); exit 1; }
> > }
> Not bad, but still not perfect: mktemp is not a POSIX standardized
> utility, and $RANDOM is bash specific. So what do you propose on POSIX
> systems without mktemp and bash? Just fall back on the unsecure foo$$
> pattern?

Doesn't this happen when $RANDOM is undefined?

Why do you call this unsecure?  Either the directory already exists
and your script aborts, or the directory is created with safe permissions.

If someone created all the possible foo$$ patterns, or simply filled
/tmp up, you can always suggest the user to set TMPDIR to some
directory of his.

> Or ship an mktemp.c with the package, to be compiled by 'configure'
> very early?

Hell, no! :)

> It would be nice if we could write up the result of this discussion, when
> finished, in the autoconf manual.

Would be helpful, unless it boils down to "use AS_TMPDIR".  (I mention
this because in the past the discussion about "dirname" included a
shell snippet showing how to emulate it, and this has now been
replaced by "use AS_DIRNAME" which is less instructive.)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]