Date: Wed, 7 Jun 2000 11:55:46 -0400 (EDT) From: mi@privatelabs.com To: Kris Kennaway <kris@FreeBSD.org> Cc: sobomax@FreeBSD.org, freebsd-ports@FreeBSD.org Subject: Re: Call for arbitrage [Fwd: Re: ports/19047: net/arpwatch patched to use tmpfile() instead of mktemp()] Message-ID: <200006071555.LAA92187@misha.privatelabs.com> In-Reply-To: <Pine.BSF.4.21.0006070337500.66450-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7 Jun, Kris Kennaway wrote:
= I believe the question is whether tmpfile() should be used in
= preference to mkstemp().
=
= On FreeBSD, either tmpfile() or mkstemp() have identical security
= properties (tmpfile() in fact calls mkstemp() internally), but as
= stated in the manpage, on other platforms tmpfile() is broken.
= Therefore, my recommendation is to use something like:
= int fd;
= FILE *fp;
=
= if ((fd = mkstemp(foo)) == -1) {
= err(1, "mkstemp");
= } else {
= unlink(fd);
= }
= if ((fp = fdopen(fd, "w+")) == NULL)
= err(1, "fdopen");
=
= ...
Thank you, Kriss, for agreeing to moderate, but your suggestion in
itself is not applicable:
SYNOPSIS
#include <unistd.h>
int unlink(const char *pathname);
Yes, it is possible to use mkstemp instead of tmpfile and it is even
simpler then what you wrote. However, I continue to believe, that the
direct use of tmpfile is even simpler (no separate calls, no string
templates, no separate error checks), makes the code nicer and avoids
duplicating in the arpwatch's report() what is already done in the
FreeBSD's tmpfile(). In fact, even if arpwatch used the mkstemp/fdopen,
I'd advocate changing that to tmpfile for this reasons.
= This method is portable across platforms, and can safely be
= reintegrated by the software author.
The use of tmpfile is no less portable then the use of err :-). At least
tmpfile _exists_ on other systems, even if it is not really a secure
solution on some of them (which ones? is arpwatch even ported to
others?)
Personally, I think the authors should not bother with the tmpfile at
all and simply write to the stdin of the execed sendmail -- like the
vacation(1) is doing.
However, I'm glad I was able to spot the ld's warning about the use of
mktemp and will now rest. The submitted patch works and is secure on all
of the BSDs -- the users of the ports tree. The arpwatch maintainers
will create their own anyway, I suspect.
I'm sorry, but my silly ego prevents me from offering any modifications
to achieve a compromise I don't see needed.
Sincerely,
-mi
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006071555.LAA92187>