Date: Wed, 21 Oct 1998 10:31:05 +0800 From: Peter Wemm <peter@netplex.com.au> To: Warner Losh <imp@village.org> Cc: Matthew Dillon <dillon@apollo.backplane.com>, Bruce Evans <bde@zeta.org.au>, cvs-all@FreeBSD.ORG, cvs-committers@FreeBSD.ORG Subject: Re: cvs commit: src/lib/libc/stdio mktemp.c Message-ID: <199810210231.KAA14549@spinner.netplex.com.au> In-Reply-To: Your message of "Tue, 20 Oct 1998 15:34:00 CST." <199810202134.PAA28899@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Warner Losh wrote: > In message <199810201912.MAA28626@apollo.backplane.com> Matthew Dillon writes : > : We have enough problems with security, we don't need to add mkstemp() > : to the fray after the time had been spent to make it secure. I don't > : give a fart what the 'standards' say... creating files in /tmp is > : already an extremely dangerous proposition. Don't screw it up even mor e > : by de-securing the function call! > > Any commits tha mkstemp not create the file 600 will be backed out by > me with extreme prejustice. Period. I don't give two rats asses > about standards, tradition or anything else. If an application wants > to share a /tmp file with someone else, fchmod(2) exists for those > people. > > Sorry to be so harsh, but I agree 100% with Matt here. We have enough > problems with people not using mkstemp in the tree now that I don't > want to *ANYTHING* to make mkstemp any less secure. I'll have to take > a good hard look at Peter's commit to see what he's trying to fix. This was the alternative that I was considering: Index: mktemp.c =================================================================== RCS file: /home/ncvs/src/lib/libc/stdio/mktemp.c,v retrieving revision 1.12 diff -u -r1.12 mktemp.c --- mktemp.c 1998/10/20 15:33:21 1.12 +++ mktemp.c 1998/10/21 02:27:09 @@ -148,13 +148,18 @@ for (;;) { if (doopen) { if ((*doopen = - open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0) + open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0) { + fchmod(fd, 0600); return(1); + } if (errno != EEXIST) return(0); } else if (domkdir) { - if (mkdir(path, 0700) == 0) + if (mkdir(path, 0700) == 0) { + /* chmod here should be safe enough... */ + chmod(path, 0700); return(1); + } if (errno != EEXIST) return(0); } else if (lstat(path, &sbuf)) This ensures that the created files and directories are accessible to the caller no matter how silly the umask is. > Warner > Cheers, -Peter -- Peter Wemm <peter@netplex.com.au> Netplex Consulting "No coffee, No workee!" :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199810210231.KAA14549>