Date: Tue, 24 Oct 2000 13:56:34 -0400 From: Garance A Drosihn <drosih@rpi.edu> To: Jeroen Ruigrok van der Werven <jruigrok@via-net-works.nl>, audit@FreeBSD.ORG Subject: Re: printjob.c mktemp() problem Message-ID: <v04210107b61b7a18adac@[128.113.24.47]> In-Reply-To: <20001024140510.G93799@lucifer.bart.nl> References: <20001024140510.G93799@lucifer.bart.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
At 2:05 PM +0200 10/24/00, Jeroen Ruigrok van der Werven wrote: >In printjob.c in the dir src/usr.sbin/lpr/lpd we see a mktemp() >call which creates a file accroding to the template. > >I also see that it is getting unlink()'d again a bunch of lines >later. It is unlinked some 150 lines later, and a lot happens between that mktemp and the call to unlink... >I later on see some open() call on the same tempfile array which >does exactly what the mktemp(3) manpage warns about. > >Am I right into thinking this might be a good candidate for a >mktemp()->mkstemp() conversion? If I ever get my commit status, I would have fixed this. Also notice that mktemp() is called for a file-pattern which does not have a '/' in it, and just a few lines later 'chdir' is called. Thus, mktemp is potentially checking in a different directory than the directory which is active when the file is actually created. Thus, even ignoring the possible race condition (which is probably not much of a problem in this case), the current mktemp call is just plain wrong. It is a great candidate for replacement. IMO. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v04210107b61b7a18adac>