Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 14 Feb 2012 01:09:00 GMT
From:      grarpamp <grarpamp@gmail.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   bin/165120: ed and sed - tmp file handling - security and location
Message-ID:  <201202140109.q1E190LU076199@red.freebsd.org>
Resent-Message-ID: <201202140110.q1E1AEjv079132@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         165120
>Category:       bin
>Synopsis:       ed and sed - tmp file handling - security and location
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 14 01:10:14 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     grarpamp
>Release:        HEAD
>Organization:
>Environment:
HEAD
>Description:
# /bin/ed has no means to relocate its temp file.
Absent other administrative solutions, this often leads
to a full /tmp.

# /usr/bin/sed has legacy/poor temp file handling.
Should be updated to use mkstemp(3) so as to be more
secure and therefore less clobberish.

Fix for both (add all three):
a) Add environment: TMPDIR
b) Add argument: -t <tmpdir>
 Takes precedence over environment.
c) Change the default to: mkstemp(realpath(<file>.XXXXXX))
 The directory that the file being edited resides in, and is
  naturally expected to be writable and have sufficient free
  space. Make tmp file named after <file> if possible so as
  to be recognizable if crash cleanup is needed.

## line no's are for RELENG_8, topic applies to 8/9/HEAD

# /bin/ed
buf.c:191:char sfn[15] = "";  /* scratch file name */
buf.c:202:      strcpy(sfn, "/tmp/ed.XXXXXX");
buf.c:203:      if ((fd = mkstemp(sfn)) == -1 ||

# /usr/bin/sed
main.c:114:static char tmpfname[PATH_MAX];  /* Temporary file name (for in-place editing) */
main.c:360:                                             unlink(tmpfname);
main.c:398:                     len = snprintf(tmpfname, sizeof(tmpfname),
main.c:399:                         "%s/.!%ld!%s", dirname(fname), (long)getpid(),
main.c:400:                         basename(fname));

>How-To-Repeat:
Have space contention in /tmp.
Have security race or filename collision.

>Fix:
See above.

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201202140109.q1E190LU076199>