From owner-freebsd-questions@FreeBSD.ORG Thu Feb 15 18:17:59 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DB85F16A407 for ; Thu, 15 Feb 2007 18:17:59 +0000 (UTC) (envelope-from dghatikachalam@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.freebsd.org (Postfix) with ESMTP id 4D7E513C471 for ; Thu, 15 Feb 2007 18:17:58 +0000 (UTC) (envelope-from dghatikachalam@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so236299ugh for ; Thu, 15 Feb 2007 10:17:56 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=CQj4vLS8dG7A1o0BlbSxSgI2pK+QPCvAod/+Q4O/gxk09al3GN3/aWTLrwIqbc02k2tL968emM4v6pMNMxYEesgxKE7MjgzZOwYiK1AkvDVp6J1Ia3issf8O2WObj2h7uDD486xtj1u/owvvsOjBeB880iBlBpAOnJCRQ7Pf3kw= Received: by 10.114.210.2 with SMTP id i2mr1314502wag.1171563474615; Thu, 15 Feb 2007 10:17:54 -0800 (PST) Received: by 10.114.211.20 with HTTP; Thu, 15 Feb 2007 10:17:54 -0800 (PST) Message-ID: Date: Thu, 15 Feb 2007 13:17:54 -0500 From: "Dak Ghatikachalam" To: "Dan Nelson" , "Thomas Dickey" , "FreeBSD - Questions" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: Ksh Shell script security question.( SOLVED) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Feb 2007 18:17:59 -0000 On 2/15/07, Dan Nelson wrote: > > In the last episode (Feb 15), Thomas Dickey said: > > On Wed, Feb 14, 2007 at 10:57:12PM -0600, Dan Nelson wrote: > > > In the last episode (Feb 14), Dak Ghatikachalam said: > > > > I am am puzzled how to secure this code when this shell script is > > > > being executed. > > > > > > > > ${ORACLE_HOME}/bin/sqlplus -s < [...] > > > > EOF > > > > > > > > When I run this code from shell script in /tmp directory it spews > > > > file called /tmp/sh03400.000 in that I have this entire code > > > > visible. > > > > > > I bet if you check the permissions you'll find the file has mode > > > 0600, which means only the user running the script can read the > > > file (at least that's what a test using the pdksh port does on my > > > system). ksh93 does have a problem, though: it opens a file and > > > immediately unlinks it, but the file is world-readable for a short > > > time. > > > > Doesn't it (ksh93, etc) pay attention to umask? > > If it does, the script should use that feature. > > It does honor umask, but I think temp files should be created mode 0600 > in all cases. A person may have a umask of 022 to allow normal files > to be read by group members but still not want them to see > here-document contents. They may not even realize that their shell is > using tempfiles. Some shells use pipes (bash and ash do; zsh uses an > 0600 tempfile that it immediately unlinks; Solaris sh uses an 0600 > tempfile). > > > > Both ksh variants honor the TMPDIR variable, though, so if you create > a > > > ~/tmp directory, chmod it so only you can access it, then set > > > TMPDIR=~/tmp , you will be secure even if you're using ksh93. > > > > relatively (it's not a given that people haven't opened up ~/tmp) > > I think if someone has gone to the trouble of creating a private ~/tmp > directory, they probably know what they're doing and know the > consequences of opening it up. I appreciate all your response. Thanks a lot for insight on unix fundementals The issue I had is solved by doing umask 077 at the start of the script, so what it did was it created the temporary files with read+write for owner of the file , and in my process I also create directories while RMAN backup is being run, so that umask 077 for directory gave rwx for directories while creation This problem I had is solved now, it is secure Thanks Dak > -- > Dan Nelson > dnelson@allantgroup.com > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >