From owner-freebsd-security Sat Mar 10 23: 2:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from greg.cex.ca (h207-230-249-123.dccnet.com [207.230.249.123]) by hub.freebsd.org (Postfix) with SMTP id 254E037B718 for ; Sat, 10 Mar 2001 23:02:34 -0800 (PST) (envelope-from gregw-freebsd-security@greg.cex.ca) Received: (qmail 26527 invoked by uid 1001); 11 Mar 2001 07:08:43 -0000 Date: Sat, 10 Mar 2001 23:08:43 -0800 From: Greg White To: FreeBSD Security Subject: Re: temp files for security/logcheck Message-ID: <20010310230843.A26101@greg.cex.ca> Mail-Followup-To: FreeBSD Security References: <200103110435.f2B4ZHw04676@ns1.unixathome.org>; <20010310234519.A68252@databits.net> <200103110447.f2B4lww04741@ns1.unixathome.org> <20010310225345.A14180@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010310225345.A14180@mollari.cthul.hu>; from kris@obsecurity.org on Sat, Mar 10, 2001 at 10:53:46PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Mar 10, 2001 at 10:53:46PM -0800, Kris Kennaway wrote: > On Sun, Mar 11, 2001 at 05:47:58PM +1300, Dan Langille wrote: > > AFAIK, the files disappear each time the script is run: > > > > umask 077 > > rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ > > [...] > > Blah, that's an insecure way to create files in $TMPDIR (which is > usually /tmp). It needs to use mktemp(1). > > Kris It is in general, but not in this case. The script and the directory are mode 0700 -- this makes it difficult for it to be insecure. $TMPDIR is explicitly set. -- Greg White Those who make peaceful revolution impossible will make violent revolution inevitable. -- John F. Kennedy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message