Date: Wed, 21 Oct 1998 10:31:05 +0800 From: Peter Wemm <peter@netplex.com.au> To: Warner Losh <imp@village.org> Cc: Matthew Dillon <dillon@apollo.backplane.com>, Bruce Evans <bde@zeta.org.au>, cvs-all@FreeBSD.ORG, cvs-committers@FreeBSD.ORG Subject: Re: cvs commit: src/lib/libc/stdio mktemp.c Message-ID: <199810210231.KAA14549@spinner.netplex.com.au> In-Reply-To: Your message of "Tue, 20 Oct 1998 15:34:00 CST." <199810202134.PAA28899@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Warner Losh wrote:
> In message <199810201912.MAA28626@apollo.backplane.com> Matthew Dillon writes
:
> : We have enough problems with security, we don't need to add mkstemp()
> : to the fray after the time had been spent to make it secure. I don't
> : give a fart what the 'standards' say... creating files in /tmp is
> : already an extremely dangerous proposition. Don't screw it up even mor
e
> : by de-securing the function call!
>
> Any commits tha mkstemp not create the file 600 will be backed out by
> me with extreme prejustice. Period. I don't give two rats asses
> about standards, tradition or anything else. If an application wants
> to share a /tmp file with someone else, fchmod(2) exists for those
> people.
>
> Sorry to be so harsh, but I agree 100% with Matt here. We have enough
> problems with people not using mkstemp in the tree now that I don't
> want to *ANYTHING* to make mkstemp any less secure. I'll have to take
> a good hard look at Peter's commit to see what he's trying to fix.
This was the alternative that I was considering:
Index: mktemp.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/stdio/mktemp.c,v
retrieving revision 1.12
diff -u -r1.12 mktemp.c
--- mktemp.c 1998/10/20 15:33:21 1.12
+++ mktemp.c 1998/10/21 02:27:09
@@ -148,13 +148,18 @@
for (;;) {
if (doopen) {
if ((*doopen =
- open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0)
+ open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0) {
+ fchmod(fd, 0600);
return(1);
+ }
if (errno != EEXIST)
return(0);
} else if (domkdir) {
- if (mkdir(path, 0700) == 0)
+ if (mkdir(path, 0700) == 0) {
+ /* chmod here should be safe enough... */
+ chmod(path, 0700);
return(1);
+ }
if (errno != EEXIST)
return(0);
} else if (lstat(path, &sbuf))
This ensures that the created files and directories are accessible to the
caller no matter how silly the umask is.
> Warner
>
Cheers,
-Peter
--
Peter Wemm <peter@netplex.com.au> Netplex Consulting
"No coffee, No workee!" :-)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199810210231.KAA14549>