From owner-freebsd-audit  Wed Aug  9  0:21:29 2000
Delivered-To: freebsd-audit@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9543637B950; Wed,  9 Aug 2000 00:21:27 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id AAA93070;
	Wed, 9 Aug 2000 00:21:27 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Wed, 9 Aug 2000 00:21:27 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.org>
To: Kelly Yancey <kbyanc@posi.net>
Cc: audit@FreeBSD.ORG
Subject: Re: Update to patch(1)
In-Reply-To: <Pine.BSF.4.21.0008082232140.19072-100000@gateway.posi.net>
Message-ID: <Pine.BSF.4.21.0008090018280.84210-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, 9 Aug 2000, Kelly Yancey wrote:

>   Yeah, unfortunatly the surrounding files aren't consistent either. :( The
> existing code flips back and forth between the two at will.

Hmm..it still would be good to choose a consistent style yourself, I
guess.

> > * system() is insecure - there's no point in making all the string
> > operations buffer-safe if you go and pass a user string to system() :-)
> 
>   I can only assume that the original OpenBSD patches were more for
> consistency's sake. It can't hurt, though. :)

Well, there's more to auditing than just making things buffer-safe,
although sometimes the other problems are overlooked. I can only assume
that happened here..

> > * mkstemp() + close() isn't a drop-in replacement for mktemp() since it
> > will leave tempfiles around if the program exits through an abnormal
> > channel (error condition, signal, etc). mkstemp() + unlink() is usually
> > okay if the program (or another program) doesn't need to reopen the same
> > file, although it needs more source-code modification.
> > 
> 
>   Hmm. That is a good point and an interesting dilemma: without making some
> fairly intruisive changes I can't use mkstemp() + unlink(). So which is the
> lesser evil: the existing use of mktemp or risking leaving tempfiles with
> mkstemp()?

Could you do something evil like making a global variable for the file
descriptor so you don't have to pass it around through function calls?

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message