From owner-freebsd-audit Thu Nov 2 2:20:50 2000 Delivered-To: freebsd-audit@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 5E62B37B4D7 for ; Thu, 2 Nov 2000 02:20:47 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eA2AMhw24484 for audit@freebsd.org; Thu, 2 Nov 2000 02:22:43 -0800 (PST) (envelope-from kris) Date: Thu, 2 Nov 2000 02:22:42 -0800 From: Kris Kennaway To: audit@freebsd.org Subject: sort(1) tempfile patch Message-ID: <20001102022242.A24460@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="FL5UXtIhxfXey3p5" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --FL5UXtIhxfXey3p5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Sort creates braindead temporary filenames which are easily predictable. As far as I can see, the sequential numbering has no function, since the filenames are stored in a linked list and so the ordering information is already there. Please review.. Kris Index: sort.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/gnu/usr.bin/sort/sort.c,v retrieving revision 1.17 diff -u -r1.17 sort.c --- sort.c 2000/07/31 23:36:08 1.17 +++ sort.c 2000/11/02 06:12:48 @@ -340,7 +340,7 @@ FILE *fp; int fd; =20 - fd =3D open (file, O_EXCL | O_WRONLY | O_CREAT | O_TRUNC, 0600); + fd =3D open (file, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd < 0 || (fp =3D fdopen (fd, "w")) =3D=3D NULL) { error (0, errno, "%s", file); @@ -420,22 +420,24 @@ static char * tempname (void) { - static unsigned int seq; + int fd; int len =3D strlen (temp_file_prefix); char *name =3D xmalloc (len + 1 + sizeof ("sort") - 1 + 5 + 5 + 1); struct tempnode *node; =20 node =3D (struct tempnode *) xmalloc (sizeof (struct tempnode)); sprintf (name, - "%s%ssort%5.5d%5.5d", + "%s%ssortXXXXXXXXXX", temp_file_prefix, - (len && temp_file_prefix[len - 1] !=3D '/') ? "/" : "", - (unsigned int) getpid () & 0xffff, seq); + (len && temp_file_prefix[len - 1] !=3D '/') ? "/" : ""); =20 - /* Make sure that SEQ's value fits in 5 digits. */ - ++seq; - if (seq >=3D 100000) - seq =3D 0; + if ((fd =3D mkstemp(name)) =3D=3D -1) + { + error (0, errno, _("mkstemp error")); + cleanup (); + exit (2); + } + close(fd); =20 node->name =3D name; node->next =3D temphead.next; --FL5UXtIhxfXey3p5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoBQHIACgkQWry0BWjoQKXlYwCcCNvhjuQBaLz+GTZqifIvDuKm 118An2uv3XZRctuSQNCivFY97kpI3Oiz =lcbF -----END PGP SIGNATURE----- --FL5UXtIhxfXey3p5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Nov 2 11: 3:40 2000 Delivered-To: freebsd-audit@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 9170037B479; Thu, 2 Nov 2000 11:03:37 -0800 (PST) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id OAA421766; Thu, 2 Nov 2000 14:03:35 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <20001102022242.A24460@citusc17.usc.edu> References: <20001102022242.A24460@citusc17.usc.edu> Date: Thu, 2 Nov 2000 14:03:33 -0500 To: Kris Kennaway , audit@FreeBSD.ORG From: Garance A Drosihn Subject: Re: sort(1) tempfile patch Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Didn't we already have a fix to sort, which was to create a subdirectory under /tmp and then have sort create all of it's temp files in that subdirectory? If the files are in a correctly-permitted subdirectory, then we don't have to care what the filename-creation algorithm is (not wrt security, that is). -- --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Nov 2 11:59:40 2000 Delivered-To: freebsd-audit@freebsd.org Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.161.193]) by hub.freebsd.org (Postfix) with ESMTP id 4C38437B4C5; Thu, 2 Nov 2000 11:59:38 -0800 (PST) Received: from mail.vt.edu (gkar.cc.vt.edu [198.82.161.190]) by lennier.cc.vt.edu (8.11.0/8.11.0) with ESMTP id eA2Jxbt432623; Thu, 2 Nov 2000 14:59:37 -0500 (EST) Received: from muriel.penguinpowered.com ([198.82.100.195]) by gkar.cc.vt.edu (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with ESMTP id <0G3E0031IY7BYQ@gkar.cc.vt.edu>; Thu, 2 Nov 2000 14:59:35 -0500 (EST) Date: Thu, 02 Nov 2000 14:59:35 -0500 (EST) From: Mike Heffner Subject: Re: sort(1) tempfile patch In-reply-to: To: Garance A Drosihn Cc: audit@FreeBSD.ORG, Kris Kennaway Message-id: MIME-version: 1.0 X-Mailer: XFMail 1.4.4 on FreeBSD Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 8bit X-Priority: 3 (Normal) Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG http://docs.freebsd.org/cgi/getmsg.cgi?fetch=34587+0+archive/2000/freebsd-audit/ 20000130.freebsd-audit On 02-Nov-2000 Garance A Drosihn wrote: | Didn't we already have a fix to sort, which was to create a | subdirectory under /tmp and then have sort create all of | it's temp files in that subdirectory? | | If the files are in a correctly-permitted subdirectory, | then we don't have to care what the filename-creation | algorithm is (not wrt security, that is). -- Mike Heffner Blacksburg, VA ICQ# 882073 http://my.ispchannel.com/~mheffner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Nov 2 14:32:30 2000 Delivered-To: freebsd-audit@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id CF2D637B479; Thu, 2 Nov 2000 14:32:27 -0800 (PST) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id RAA559728; Thu, 2 Nov 2000 17:32:20 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: Date: Thu, 2 Nov 2000 17:32:19 -0500 To: Mike Heffner From: Garance A Drosihn Subject: Re: sort(1) tempfile patch Cc: audit@FreeBSD.ORG, Kris Kennaway Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 2:59 PM -0500 11/2/00, Mike Heffner wrote: >http://docs.freebsd.org/cgi/getmsg.cgi?fetch=34587+0+archive/2000/freebsd-audit/20000130.freebsd-audit > Okay, that looks a lot like the update I was thinking of. Was this update never applied? Or was it lost somewhere along the line? I prefer the strategy of this update. -- --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Nov 2 15: 6:58 2000 Delivered-To: freebsd-audit@freebsd.org Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.161.193]) by hub.freebsd.org (Postfix) with ESMTP id C6E0D37B4CF; Thu, 2 Nov 2000 15:06:55 -0800 (PST) Received: from mail.vt.edu (gkar.cc.vt.edu [198.82.161.190]) by lennier.cc.vt.edu (8.11.0/8.11.0) with ESMTP id eA2N6rt434949; Thu, 2 Nov 2000 18:06:54 -0500 (EST) Received: from muriel.penguinpowered.com ([198.82.100.195]) by gkar.cc.vt.edu (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with ESMTP id <0G3F0034Q6VGWR@gkar.cc.vt.edu>; Thu, 2 Nov 2000 18:06:52 -0500 (EST) Date: Thu, 02 Nov 2000 18:06:52 -0500 (EST) From: Mike Heffner Subject: Re: sort(1) tempfile patch In-reply-to: To: Garance A Drosihn Cc: Kris Kennaway , audit@FreeBSD.ORG Message-id: MIME-version: 1.0 X-Mailer: XFMail 1.4.4 on FreeBSD Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 8bit X-Priority: 3 (Normal) Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 02-Nov-2000 Garance A Drosihn wrote: | At 2:59 PM -0500 11/2/00, Mike Heffner wrote: | >http://docs.freebsd.org/cgi/getmsg.cgi?fetch=34587+0+archive/2000/freebsd-aud | >it/20000130.freebsd-audit | > | | Okay, that looks a lot like the update I was thinking of. Was | this update never applied? Or was it lost somewhere along | the line? I prefer the strategy of this update. It was just never applied, I had submitted a PR about it too, (bin/16929) and got the reply: From: Tim Vanderhoek To: freebsd-gnats-submit@FreeBSD.org, spock@techfour.net Cc: vanderh@ecf.toronto.edu Subject: Re: bin/16929: [PATCH] prevent possible race condition Date: Tue, 16 May 2000 00:36:58 -0400 (EDT) > >sort can create the following predictable tempfiles: >/tmp/sort{pid}{seq} It appears that the security implications of this have already been fixed in rev.1.11 of src/gnu/usr.bin/sort/sort.c. .... so nothing was really done about it. -- Mike Heffner Blacksburg, VA ICQ# 882073 http://my.ispchannel.com/~mheffner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Nov 2 18:20:18 2000 Delivered-To: freebsd-audit@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 44B5E37B4FE for ; Thu, 2 Nov 2000 18:20:15 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eA32M2G26381; Thu, 2 Nov 2000 18:22:02 -0800 (PST) (envelope-from kris) Date: Thu, 2 Nov 2000 18:22:02 -0800 From: Kris Kennaway To: Garance A Drosihn Cc: Mike Heffner , audit@FreeBSD.ORG Subject: Re: sort(1) tempfile patch Message-ID: <20001102182202.A26341@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from drosih@rpi.edu on Thu, Nov 02, 2000 at 05:32:19PM -0500 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 02, 2000 at 05:32:19PM -0500, Garance A Drosihn wrote: > At 2:59 PM -0500 11/2/00, Mike Heffner wrote: > >http://docs.freebsd.org/cgi/getmsg.cgi?fetch=3D34587+0+archive/2000/free= bsd-audit/20000130.freebsd-audit > > >=20 > Okay, that looks a lot like the update I was thinking of. Was > this update never applied? Or was it lost somewhere along > the line? I prefer the strategy of this update. Why's that? If my patch works, it's a simpler change, and takes up one fewer inode on /tmp :-) Kris --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoCIUkACgkQWry0BWjoQKX8PQCeOkJnLX1I+8TC/7bnaqNFnfnV ls4AoMh4YlKe/qJEeky0NCjcn7uOBvnn =627H -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Nov 2 19: 6:55 2000 Delivered-To: freebsd-audit@freebsd.org Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.161.193]) by hub.freebsd.org (Postfix) with ESMTP id 748BE37B479; Thu, 2 Nov 2000 19:06:53 -0800 (PST) Received: from mail.vt.edu (gkar.cc.vt.edu [198.82.161.190]) by lennier.cc.vt.edu (8.11.0/8.11.0) with ESMTP id eA336qt494309; Thu, 2 Nov 2000 22:06:52 -0500 (EST) Received: from muriel.penguinpowered.com ([198.82.100.195]) by gkar.cc.vt.edu (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with ESMTP id <0G3F0050KHZE4B@gkar.cc.vt.edu>; Thu, 2 Nov 2000 22:06:50 -0500 (EST) Date: Thu, 02 Nov 2000 22:06:50 -0500 (EST) From: Mike Heffner Subject: Re: sort(1) tempfile patch In-reply-to: <20001102182202.A26341@citusc17.usc.edu> To: Kris Kennaway Cc: audit@FreeBSD.ORG, Garance A Drosihn Message-id: MIME-version: 1.0 X-Mailer: XFMail 1.4.4 on FreeBSD Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 8bit X-Priority: 3 (Normal) Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 03-Nov-2000 Kris Kennaway wrote: | On Thu, Nov 02, 2000 at 05:32:19PM -0500, Garance A Drosihn wrote: | > At 2:59 PM -0500 11/2/00, Mike Heffner wrote: | > >http://docs.freebsd.org/cgi/getmsg.cgi?fetch=34587+0+archive/2000/freebsd-a | > >udit/20000130.freebsd-audit | > > | > | > Okay, that looks a lot like the update I was thinking of. Was | > this update never applied? Or was it lost somewhere along | > the line? I prefer the strategy of this update. | | Why's that? If my patch works, it's a simpler change, and takes up one | fewer inode on /tmp :-) | Well, looking at the archives, when I had originally submitted a patch similar to yours, you had agreed with Garance A Drosihn that using a secure directory was a better solution... http://docs.freebsd.org/cgi/getmsg.cgi?fetch=30362+0+archive/2000/freebsd-audit/ 20000130.freebsd-audit -- Mike Heffner Blacksburg, VA ICQ# 882073 http://my.ispchannel.com/~mheffner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Nov 2 19: 9:33 2000 Delivered-To: freebsd-audit@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 4365C37B4C5; Thu, 2 Nov 2000 19:09:31 -0800 (PST) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id WAA83624; Thu, 2 Nov 2000 22:09:28 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <20001102182202.A26341@citusc17.usc.edu> References: <20001102182202.A26341@citusc17.usc.edu> Date: Thu, 2 Nov 2000 22:09:26 -0500 To: Kris Kennaway From: Garance A Drosihn Subject: Re: sort(1) tempfile patch Cc: Mike Heffner , audit@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 6:22 PM -0800 11/2/00, Kris Kennaway wrote: > Why's that? Your method has one fewer inode in /tmp, but many more files in /tmp directory. (directly in /tmp, as opposed to "some subdirectory of /tmp"). If sort is going to create multiple temp files, then your strategy puts all of those files in /tmp. I'd rather have one file in /tmp, and then lots of sort-related files in /tmp/sort.random for each user doing a sort. On a multi-user system (one which actually has multiple active users), one person doing a sort can cause a lot of "pollution" of /tmp, along with constant locking as those temporary files are created and destroyed. Also, I like the idea of having to be paranoid only for the creation of one directory, instead of having to be paranoid for every file created. -- --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Nov 2 19:12:54 2000 Delivered-To: freebsd-audit@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 4E1AA37B4C5; Thu, 2 Nov 2000 19:12:52 -0800 (PST) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id WAA409282; Thu, 2 Nov 2000 22:12:33 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: Date: Thu, 2 Nov 2000 22:12:32 -0500 To: Mike Heffner From: Garance A Drosihn Subject: Re: sort(1) tempfile patch Cc: Kris Kennaway , audit@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 6:06 PM -0500 11/2/00, Mike Heffner wrote: >It was just never applied, I had submitted a PR about it too, >(bin/16929) and got the reply: > >From: Tim Vanderhoek > To: freebsd-gnats-submit@FreeBSD.org, spock@techfour.net > Subject: Re: bin/16929: [PATCH] prevent possible race condition > Date: Tue, 16 May 2000 00:36:58 -0400 (EDT) > > > sort can create the following predictable tempfiles: > > /tmp/sort{pid}{seq} > > It appears that the security implications of this have > already been fixed in rev.1.11 of src/gnu/usr.bin/sort/sort.c. > >so nothing was really done about it. Does that imply the security issue is already fixed (one way or another) in rev 1.11, but that we never upgraded to rev 1.11? I mean, if the security implications were addressed, then what is it that prompts Kris's update. -- --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Nov 2 20: 9:36 2000 Delivered-To: freebsd-audit@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 0E50637B479; Thu, 2 Nov 2000 20:09:34 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eA34AqF26612; Thu, 2 Nov 2000 20:10:52 -0800 (PST) (envelope-from kris) Date: Thu, 2 Nov 2000 20:10:51 -0800 From: Kris Kennaway To: Garance A Drosihn Cc: Mike Heffner , Kris Kennaway , audit@FreeBSD.ORG Subject: Re: sort(1) tempfile patch Message-ID: <20001102201051.A26595@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from drosih@rpi.edu on Thu, Nov 02, 2000 at 10:12:32PM -0500 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 02, 2000 at 10:12:32PM -0500, Garance A Drosihn wrote: > At 6:06 PM -0500 11/2/00, Mike Heffner wrote: > >It was just never applied, I had submitted a PR about it too, > >(bin/16929) and got the reply: > > > >From: Tim Vanderhoek > > To: freebsd-gnats-submit@FreeBSD.org, spock@techfour.net > > Subject: Re: bin/16929: [PATCH] prevent possible race condition > > Date: Tue, 16 May 2000 00:36:58 -0400 (EDT) > > > > > sort can create the following predictable tempfiles: > > > /tmp/sort{pid}{seq} > > > > It appears that the security implications of this have > > already been fixed in rev.1.11 of src/gnu/usr.bin/sort/sort.c. > > > >so nothing was really done about it. >=20 > Does that imply the security issue is already fixed (one > way or another) in rev 1.11, but that we never upgraded > to rev 1.11? I mean, if the security implications were > addressed, then what is it that prompts Kris's update. The security issues were not addressed. Kris --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoCOsoACgkQWry0BWjoQKW5KACg5N45NFzAe5rxKaC4SKGO7/hr j4gAoKYP6gjauB4iDmlcj2Nam5wX33Mr =YSh+ -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Nov 2 20:10:59 2000 Delivered-To: freebsd-audit@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 7B7DA37B4C5; Thu, 2 Nov 2000 20:10:45 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eA34CUY26621; Thu, 2 Nov 2000 20:12:30 -0800 (PST) (envelope-from kris) Date: Thu, 2 Nov 2000 20:12:30 -0800 From: Kris Kennaway To: Mike Heffner Cc: Kris Kennaway , audit@FreeBSD.ORG, Garance A Drosihn Subject: Re: sort(1) tempfile patch Message-ID: <20001102201230.B26595@citusc17.usc.edu> References: <20001102182202.A26341@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="kORqDWCi7qDJ0mEj" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mheffner@vt.edu on Thu, Nov 02, 2000 at 10:06:50PM -0500 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --kORqDWCi7qDJ0mEj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 02, 2000 at 10:06:50PM -0500, Mike Heffner wrote: >=20 > On 03-Nov-2000 Kris Kennaway wrote: > | On Thu, Nov 02, 2000 at 05:32:19PM -0500, Garance A Drosihn wrote: > | > At 2:59 PM -0500 11/2/00, Mike Heffner wrote: > | > >http://docs.freebsd.org/cgi/getmsg.cgi?fetch=3D34587+0+archive/2000/= freebsd-a > | > >udit/20000130.freebsd-audit > | > > > | >=20 > | > Okay, that looks a lot like the update I was thinking of. Was > | > this update never applied? Or was it lost somewhere along > | > the line? I prefer the strategy of this update. > | =20 > | Why's that? If my patch works, it's a simpler change, and takes up one > | fewer inode on /tmp :-) > | =20 >=20 > Well, looking at the archives, when I had originally submitted a patch si= milar > to yours, you had agreed with Garance A Drosihn that using a secure direc= tory > was a better solution... Yeah - I didn't realise at the time that it could be done safely in the style of my current patch: since sort(1) only uses the sequential filenames for convenience, and doesn't rely on the naming convention, we can just fix it directly with mkstemp(). Kris --kORqDWCi7qDJ0mEj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoCOy0ACgkQWry0BWjoQKVHQQCg52Nuh+uzAUS7TIoqmUAsyWxo Fw4AoLrF4Al34R4u3/TB2nOqLE7fO1G+ =cxeD -----END PGP SIGNATURE----- --kORqDWCi7qDJ0mEj-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Nov 2 20:12: 6 2000 Delivered-To: freebsd-audit@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id DA0E337B4C5; Thu, 2 Nov 2000 20:12:03 -0800 (PST) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id XAA147444; Thu, 2 Nov 2000 23:12:02 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <200011030329.TAA98575@freefall.freebsd.org> References: <200011030329.TAA98575@freefall.freebsd.org> Date: Thu, 2 Nov 2000 23:12:01 -0500 To: Garance A Drosehn , freebsd-audit@FreeBSD.org From: Garance A Drosihn Subject: Re: cvs commit: src/usr.sbin/lpr/lpr lpr.c Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG People on cvs-all may have noticed the following go by: At 7:29 PM -0800 11/2/00, Garance A Drosehn wrote: > Modified files: > usr.sbin/lpr/lpr lpr.c > > Log: > This update gets it so 'lpr -r' ("remove the file after printing") will > try to move the file from the source to the destination (spool) directory. > If that succeeds, much time and disk-space will be saved by doing that > instead of copying the entire file only to remove the original. This > could be a big win on machines doing samba-service or CAP-based printing. > > Note that this is about the fourth or fifth iteration of the patch, after > trying to address all possible security implications of the change. > > PR: 16124 > Reviewed by: freebsd-current or freebsd-hackers (some time ago) As I mentioned in the commit message, this change had been reviewed a few times on one of the other mailing lists (about four months ago, I think). The current version reflects some good observations in those earlier reviews. However, given that this is an area where minor subtleties could be significant, I would not feel at all insulted if other "more security aware" people reviewed the change one more time, looking for possible loopholes. I know the update WORKS, I just want to make sure there is no subtle window which a clever hacker could make use of to do "SomethingBad". I'm also fairly confident that there are no such security-windows, but as I say, I would not be insulted of anyone wanted to look it over one more time. The update which was applied is pretty much the same as the last one you'll see at: http://www.freebsd.org/cgi/query-pr.cgi?pr=16124 (except for a few Style changes, such adding a few tabs, changing comments, and moving the declaration of variables). -- --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Nov 3 11:54:31 2000 Delivered-To: freebsd-audit@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 79A8237B479; Fri, 3 Nov 2000 11:54:27 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eA3JuIX29335; Fri, 3 Nov 2000 11:56:18 -0800 (PST) (envelope-from kris) Date: Fri, 3 Nov 2000 11:56:18 -0800 From: Kris Kennaway To: obrien@FreeBSD.org, audit@FreeBSD.org Subject: gcc/binutils tempfile fixes Message-ID: <20001103115618.A29306@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jRHKVT23PllUwdXP" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Please review the following changes: The current behaviour of gcc/binutils wrt tempfile creation is insecure - for a given PID only 52 different tempfiles can be created, leaving gcc vulnerable to symlink attacks and code corruption. The libiberty version of mkstemp() seems to enforce using only 6 X's for some reason - but it seems we (rightly) don't use this anyway) David, how should we go about getting these fixed in gcc? Kris Index: binutils/binutils/bucomm.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/contrib/binutils/binutils/bucomm.c,v retrieving revision 1.1.1.4 diff -u -r1.1.1.4 bucomm.c --- binutils/binutils/bucomm.c 2000/06/20 06:19:29 1.1.1.4 +++ binutils/binutils/bucomm.c 2000/11/03 19:28:04 @@ -211,7 +211,7 @@ make_tempname (filename) char *filename; { - static char template[] =3D "stXXXXXX"; + static char template[] =3D "stXXXXXXXXXX"; char *tmpname; char *slash =3D strrchr (filename, '/'); =20 Index: binutils/libiberty/choose-temp.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/contrib/binutils/libiberty/choose-temp.c,v retrieving revision 1.1.1.3 diff -u -r1.1.1.3 choose-temp.c --- binutils/libiberty/choose-temp.c 2000/05/12 23:15:11 1.1.1.3 +++ binutils/libiberty/choose-temp.c 2000/11/03 19:27:49 @@ -71,7 +71,7 @@ =20 /* Name of temporary file. mktemp requires 6 trailing X's. */ -#define TEMP_FILE "ccXXXXXX" +#define TEMP_FILE "ccXXXXXXXXXX" =20 /* Subroutine of choose_temp_base. If BASE is non-NULL, return it. Index: gcc/choose-temp.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/contrib/gcc/choose-temp.c,v retrieving revision 1.4 diff -u -r1.4 choose-temp.c --- gcc/choose-temp.c 2000/06/12 06:24:54 1.4 +++ gcc/choose-temp.c 2000/11/03 19:15:20 @@ -73,7 +73,7 @@ =20 /* Name of temporary file. mktemp requires 6 trailing X's. */ -#define TEMP_FILE "ccXXXXXX" +#define TEMP_FILE "ccXXXXXXXXXX" =20 /* Subroutine of choose_temp_base. If BASE is non-NULL, return it. Index: gcc.295/choose-temp.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/contrib/gcc.295/choose-temp.c,v retrieving revision 1.3 diff -u -r1.3 choose-temp.c --- gcc.295/choose-temp.c 1999/11/04 10:23:25 1.3 +++ gcc.295/choose-temp.c 2000/11/03 19:17:33 @@ -73,7 +73,7 @@ =20 /* Name of temporary file. mktemp requires 6 trailing X's. */ -#define TEMP_FILE "ccXXXXXX" +#define TEMP_FILE "ccXXXXXXXXXX" =20 /* Subroutine of choose_temp_base. If BASE is non-NULL, return it. --jRHKVT23PllUwdXP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoDGGEACgkQWry0BWjoQKVNtQCfUySAUaLS0rfHKEDUmJQzQvlc 6fsAn14t1CCpKLZpgMSXSGYGddokKOPl =55P2 -----END PGP SIGNATURE----- --jRHKVT23PllUwdXP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Nov 3 11:57:25 2000 Delivered-To: freebsd-audit@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id A7A7837B4D7; Fri, 3 Nov 2000 11:57:23 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eA3JxEu29379; Fri, 3 Nov 2000 11:59:14 -0800 (PST) (envelope-from kris) Date: Fri, 3 Nov 2000 11:59:14 -0800 From: Kris Kennaway Cc: obrien@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: gcc/binutils tempfile fixes Message-ID: <20001103115914.A29363@citusc17.usc.edu> References: <20001103115618.A29306@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cWoXeonUoKmBZSoM" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001103115618.A29306@citusc17.usc.edu>; from kris@FreeBSD.ORG on Fri, Nov 03, 2000 at 11:56:18AM -0800 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Nov 03, 2000 at 11:56:18AM -0800, Kris Kennaway wrote: > Please review the following changes: Doh, I forgot about the mktemp() fix which never got applied which fixes this in libc without needing to modify all users of mktemp() to use >6 X's. Disregard, I'll just (finally) get that thing committed. Kris --cWoXeonUoKmBZSoM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoDGRIACgkQWry0BWjoQKU4tACg5H5ZORTH6o3GqpvZIYDgzMAB BGIAn1shuiXOI0+DWkpyUOxWiN1sgpIb =6sqJ -----END PGP SIGNATURE----- --cWoXeonUoKmBZSoM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Nov 4 14:51: 4 2000 Delivered-To: freebsd-audit@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 1474637B479 for ; Sat, 4 Nov 2000 14:51:01 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eA4Mqll09173 for audit@freebsd.org; Sat, 4 Nov 2000 14:52:47 -0800 (PST) (envelope-from kris) Date: Sat, 4 Nov 2000 14:52:47 -0800 From: Kris Kennaway To: audit@freebsd.org Subject: mktemp() patch, again Message-ID: <20001104145247.A9161@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Based on the feedback from last time when I tried to get this into -current, here is an updated version of the mktemp() patch. Please review, etc. I removed the comment about the directory scanning taking a very long time - I couldn't see the situation in which this would occur, although I could be wrong. Kris Index: stdio/mktemp.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/stdio/mktemp.c,v retrieving revision 1.19 diff -u -r1.19 mktemp.c --- stdio/mktemp.c 2000/01/27 23:06:46 1.19 +++ stdio/mktemp.c 2000/11/04 22:48:17 @@ -45,6 +45,7 @@ #include #include #include +#include #include #include =20 @@ -52,6 +53,9 @@ =20 static int _gettemp __P((char *, int *, int, int)); =20 +static const unsigned char padchar[] =3D +"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + int mkstemps(path, slen) char *path; @@ -103,8 +107,10 @@ int slen; { register char *start, *trv, *suffp; + char *pad; struct stat sbuf; - int pid, rval; + int rval; + uint32_t pid; =20 if (doopen && domkdir) { errno =3D EINVAL; @@ -120,26 +126,16 @@ errno =3D EINVAL; return (0); } - pid =3D getpid(); - while (*trv =3D=3D 'X' && pid !=3D 0) { - *trv-- =3D (pid % 10) + '0'; - pid /=3D 10; - } - while (*trv =3D=3D 'X') { - char c; =20 - pid =3D (arc4random() & 0xffff) % (26+26); - if (pid < 26) - c =3D pid + 'A'; - else - c =3D (pid - 26) + 'a'; - *trv-- =3D c; + /* Fill space with random characters */ + while (*trv =3D=3D 'X') { + pid =3D arc4random() % (sizeof(padchar) - 1); + *trv-- =3D padchar[pid]; } start =3D trv + 1; =20 /* - * check the target directory; if you have six X's and it - * doesn't exist this runs for a *very* long time. + * check the target directory. */ if (doopen || domkdir) { for (;; --trv) { @@ -179,15 +175,11 @@ for (trv =3D start;;) { if (*trv =3D=3D '\0' || trv =3D=3D suffp) return(0); - if (*trv =3D=3D 'Z') - *trv++ =3D 'a'; + pad =3D strchr(padchar, *trv); + if (pad =3D=3D NULL || !*++pad) + *trv++ =3D padchar[0]; else { - if (isdigit((unsigned char)*trv)) - *trv =3D 'a'; - else if (*trv =3D=3D 'z') /* inc from z to A */ - *trv =3D 'A'; - else - ++*trv; + *trv++ =3D *pad; break; } } --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoEkz4ACgkQWry0BWjoQKU8TgCgtBUmcXultj/QOt+iaZtpuaiH vocAn1hHyefvPv/qkokOcO7xXmCOTqpE =4p/S -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Nov 4 14:53:30 2000 Delivered-To: freebsd-audit@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 9791037B4C5 for ; Sat, 4 Nov 2000 14:53:28 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eA4MtEq09205; Sat, 4 Nov 2000 14:55:14 -0800 (PST) (envelope-from kris) Date: Sat, 4 Nov 2000 14:55:14 -0800 From: Kris Kennaway To: Kris Kennaway Cc: audit@FreeBSD.ORG Subject: Re: mktemp() patch, again Message-ID: <20001104145514.B9176@citusc17.usc.edu> References: <20001104145247.A9161@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="uZ3hkaAS1mZxFaxD" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001104145247.A9161@citusc17.usc.edu>; from kris@citusc.usc.edu on Sat, Nov 04, 2000 at 02:52:47PM -0800 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --uZ3hkaAS1mZxFaxD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Nov 04, 2000 at 02:52:47PM -0800, Kris Kennaway wrote: Oops > + uint32_t pid; + pid_t pid; Kris --uZ3hkaAS1mZxFaxD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoEk9EACgkQWry0BWjoQKVHUACdEmOyw3f0H5++F5RVME1+oHo/ 63wAoIuryMYrxiJ+C3M8mK/H8NudXi3L =FT9L -----END PGP SIGNATURE----- --uZ3hkaAS1mZxFaxD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Nov 4 16:58:34 2000 Delivered-To: freebsd-audit@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 31ACF37B4CF for ; Sat, 4 Nov 2000 16:58:31 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eA510H910064; Sat, 4 Nov 2000 17:00:17 -0800 (PST) (envelope-from kris) Date: Sat, 4 Nov 2000 17:00:17 -0800 From: Kris Kennaway To: Kris Kennaway Cc: audit@FreeBSD.ORG, peter.jeremy@alcatel.com.au Subject: Re: mktemp() patch, again Message-ID: <20001104170017.B10006@citusc17.usc.edu> References: <20001104145247.A9161@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="PmA2V3Z32TCmWXqI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001104145247.A9161@citusc17.usc.edu>; from kris@citusc.usc.edu on Sat, Nov 04, 2000 at 02:52:47PM -0800 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --PmA2V3Z32TCmWXqI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable green took my crack pipe away from me (pid isn't used to hold pids any more, don't make it a pid_t :-). I also updated what appears to be another bitrotten comment. Kris Index: stdio/mktemp.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/stdio/mktemp.c,v retrieving revision 1.19 diff -u -r1.19 mktemp.c --- stdio/mktemp.c 2000/01/27 23:06:46 1.19 +++ stdio/mktemp.c 2000/11/05 00:50:24 @@ -45,6 +45,7 @@ #include #include #include +#include #include #include =20 @@ -52,6 +53,9 @@ =20 static int _gettemp __P((char *, int *, int, int)); =20 +static const unsigned char padchar[] =3D +"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + int mkstemps(path, slen) char *path; @@ -103,8 +107,10 @@ int slen; { register char *start, *trv, *suffp; + char *pad; struct stat sbuf; - int pid, rval; + int rval; + uint32_t rand; =20 if (doopen && domkdir) { errno =3D EINVAL; @@ -120,26 +126,16 @@ errno =3D EINVAL; return (0); } - pid =3D getpid(); - while (*trv =3D=3D 'X' && pid !=3D 0) { - *trv-- =3D (pid % 10) + '0'; - pid /=3D 10; - } - while (*trv =3D=3D 'X') { - char c; =20 - pid =3D (arc4random() & 0xffff) % (26+26); - if (pid < 26) - c =3D pid + 'A'; - else - c =3D (pid - 26) + 'a'; - *trv-- =3D c; + /* Fill space with random characters */ + while (*trv =3D=3D 'X') { + rand =3D arc4random() % (sizeof(padchar) - 1); + *trv-- =3D padchar[rand]; } start =3D trv + 1; =20 /* - * check the target directory; if you have six X's and it - * doesn't exist this runs for a *very* long time. + * check the target directory. */ if (doopen || domkdir) { for (;; --trv) { @@ -175,19 +171,15 @@ } else if (lstat(path, &sbuf)) return(errno =3D=3D ENOENT ? 1 : 0); =20 - /* tricky little algorithm for backward compatibility */ + /* If we have a collision, cycle through the space of filenames */ for (trv =3D start;;) { if (*trv =3D=3D '\0' || trv =3D=3D suffp) return(0); - if (*trv =3D=3D 'Z') - *trv++ =3D 'a'; + pad =3D strchr(padchar, *trv); + if (pad =3D=3D NULL || !*++pad) + *trv++ =3D padchar[0]; else { - if (isdigit((unsigned char)*trv)) - *trv =3D 'a'; - else if (*trv =3D=3D 'z') /* inc from z to A */ - *trv =3D 'A'; - else - ++*trv; + *trv++ =3D *pad; break; } } --PmA2V3Z32TCmWXqI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoEsSEACgkQWry0BWjoQKUVvwCg9G4gOekbsqeeClIe7Kwrw3zs kyMAnRfbQbCfStpUweSiiYVcMCDDruUj =CK2T -----END PGP SIGNATURE----- --PmA2V3Z32TCmWXqI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message