From owner-cvs-all  Tue Oct 20 19:33:21 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA04830
          for cvs-all-outgoing; Tue, 20 Oct 1998 19:33:21 -0700 (PDT)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from spinner.netplex.com.au (spinner.netplex.com.au [202.12.86.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA04817;
          Tue, 20 Oct 1998 19:33:16 -0700 (PDT)
          (envelope-from peter@netplex.com.au)
Received: from spinner.netplex.com.au (localhost [127.0.0.1])
	by spinner.netplex.com.au (8.9.1/8.9.1/Spinner) with ESMTP id KAA14549;
	Wed, 21 Oct 1998 10:31:05 +0800 (WST)
	(envelope-from peter@spinner.netplex.com.au)
Message-Id: <199810210231.KAA14549@spinner.netplex.com.au>
X-Mailer: exmh version 2.0.2 2/24/98
To: Warner Losh <imp@village.org>
cc: Matthew Dillon <dillon@apollo.backplane.com>,
        Bruce Evans <bde@zeta.org.au>, cvs-all@FreeBSD.ORG,
        cvs-committers@FreeBSD.ORG
Subject: Re: cvs commit: src/lib/libc/stdio mktemp.c 
In-reply-to: Your message of "Tue, 20 Oct 1998 15:34:00 CST."
             <199810202134.PAA28899@harmony.village.org> 
Date: Wed, 21 Oct 1998 10:31:05 +0800
From: Peter Wemm <peter@netplex.com.au>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

Warner Losh wrote:
> In message <199810201912.MAA28626@apollo.backplane.com> Matthew Dillon writes
    :
> :     We have enough problems with security, we don't need to add mkstemp()
> :     to the fray after the time had been spent to make it secure.  I don't
> :     give a fart what the 'standards' say... creating files in /tmp is
> :     already an extremely dangerous proposition.  Don't screw it up even mor
    e
> :     by de-securing the function call!
> 
> Any commits tha mkstemp not create the file 600 will be backed out by
> me with extreme prejustice.  Period.  I don't give two rats asses
> about standards, tradition or anything else.  If an application wants
> to share a /tmp file with someone else, fchmod(2) exists for those
> people.
> 
> Sorry to be so harsh, but I agree 100% with Matt here.  We have enough
> problems with people not using mkstemp in the tree now that I don't
> want to *ANYTHING* to make mkstemp any less secure.  I'll have to take
> a good hard look at Peter's commit to see what he's trying to fix.

This was the alternative that I was considering:

Index: mktemp.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/stdio/mktemp.c,v
retrieving revision 1.12
diff -u -r1.12 mktemp.c
--- mktemp.c	1998/10/20 15:33:21	1.12
+++ mktemp.c	1998/10/21 02:27:09
@@ -148,13 +148,18 @@
 	for (;;) {
 		if (doopen) {
 			if ((*doopen =
-			    open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0)
+			    open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0) {
+				fchmod(fd, 0600);
 				return(1);
+			}
 			if (errno != EEXIST)
 				return(0);
 		} else if (domkdir) {
-			if (mkdir(path, 0700) == 0)
+			if (mkdir(path, 0700) == 0) {
+				/* chmod here should be safe enough... */
+				chmod(path, 0700);
 				return(1);
+			}
 			if (errno != EEXIST)
 				return(0);
 		} else if (lstat(path, &sbuf))

This ensures that the created files and directories are accessible to the 
caller no matter how silly the umask is.

> Warner
> 

Cheers,
-Peter
--
Peter Wemm <peter@netplex.com.au>   Netplex Consulting
"No coffee, No workee!" :-)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message