Date: Sun, 26 Nov 2000 18:00:16 +0100 From: Joachim =?iso-8859-1?Q?Str=F6mbergson?= <watchman@ludd.luth.se> To: Kris Kennaway <kris@citusc.usc.edu> Cc: audit@FreeBSD.ORG Subject: Re: Project for auditors Message-ID: <3A2141A0.7BF149C4@ludd.luth.se> References: <20001124143336.A70550@citusc17.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Aloha! Kris Kennaway wrote: > Here's something I just noticed../usr/bin/mail will repeatedly create > files with the same name from mktemp(), of the form /tmp/RsXXXXXX (as > well as some others). This needs to be fixed to use mkstemp() since > theres the very easy to exploit race condition there. > > Anyone up for it? Well, I took a 5 min browse in the code. There are two files in mail that uses mktemp: temp.c and quit.c. 5 instances from line 79 and onward in file temp.c, and 1 instance on line 424 in quit.c Replacing mktemp() calls with mkstemp() calls was no problem. But since I don't trust myself on this (yet, hopefully), I'm unsure what I need to change in the code surrounding the actual call. The man page describes the NULL vs -1 diffs. I took a look at the patch for printjob.c and am trying to adapt the way it calls mkstemp(). Also, in the quit.c the temp file is deleted by rm(tempname) on line 448. Should I use unlink() instead? -- Cheers! Joachim - Alltid i harmonisk svängning --- FairLight ------ FairLight ------ FairLight ------ FairLight --- Joachim Strömbergson ASIC SoC designer, nice to CUTE animals Phone: +46(0)31 - 27 98 47 Web: http://www.ludd.luth.se/~watchman --------------- Spamfodder: regeringen@regeringen.se --------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A2141A0.7BF149C4>