From owner-freebsd-ports Wed Jun 7 11:48:34 2000 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id B5D2937B9CC; Wed, 7 Jun 2000 11:48:32 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id LAA16374; Wed, 7 Jun 2000 11:48:32 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 7 Jun 2000 11:48:32 -0700 (PDT) From: Kris Kennaway To: mi@privatelabs.com Cc: sobomax@FreeBSD.org, freebsd-ports@FreeBSD.org Subject: Re: Call for arbitrage [Fwd: Re: ports/19047: net/arpwatch patched to use tmpfile() instead of mktemp()] In-Reply-To: <200006071555.LAA92187@misha.privatelabs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 7 Jun 2000 mi@privatelabs.com wrote: > = int fd; > = FILE *fp; > = > = if ((fd = mkstemp(foo)) == -1) { > = err(1, "mkstemp"); > = } else { > = unlink(fd); > = } > = if ((fp = fdopen(fd, "w+")) == NULL) > = err(1, "fdopen"); > = > = ... > > Thank you, Kriss, for agreeing to moderate, but your suggestion in > itself is not applicable: > > int unlink(const char *pathname); unlink(foo); > = This method is portable across platforms, and can safely be > = reintegrated by the software author. > > The use of tmpfile is no less portable then the use of err :-). At least > tmpfile _exists_ on other systems, even if it is not really a secure > solution on some of them (which ones? is arpwatch even ported to > others?) So don't use err() - it's hardly the critical part of the sample code I posted. The danger is that tmpfile exists, *but has different, insecure semantics*, on other platforms, and so the code may compile but be even more insecure than now. That's unacceptable. > However, I'm glad I was able to spot the ld's warning about the use of > mktemp and will now rest. The submitted patch works and is secure on all > of the BSDs -- the users of the ports tree. The arpwatch maintainers > will create their own anyway, I suspect. As ports security officer, I'm requesting that you either rewrite the patch to solve the problem correctly, or let the PR be closed. This is not about what's easiest to code or what suits your "ego", it's about what is secure on all platforms. I don't want to see patches using tmpfile() going into ports. Thanks, Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message