From owner-freebsd-ports  Wed Jun  7  8:57: 8 2000
Delivered-To: freebsd-ports@freebsd.org
Received: from privatecube.privatelabs.com (privatecube.privatelabs.com [198.143.31.30])
	by hub.freebsd.org (Postfix) with ESMTP
	id A730937BA89; Wed,  7 Jun 2000 08:57:03 -0700 (PDT)
	(envelope-from mi@privatelabs.com)
Received: from misha.privatelabs.com (root@misha.privatelabs.com [198.143.31.6])
	by privatecube.privatelabs.com (8.9.2/8.9.2) with ESMTP id LAA10290;
	Wed, 7 Jun 2000 11:56:10 -0400 (EDT)
Received: from privatelabs.com (mi@localhost [127.0.0.1])
	by misha.privatelabs.com (8.9.3/8.9.3) with ESMTP id LAA92187;
	Wed, 7 Jun 2000 11:55:49 -0400 (EDT)
	(envelope-from mi@privatelabs.com)
From: mi@privatelabs.com
Message-Id: <200006071555.LAA92187@misha.privatelabs.com>
Date: Wed, 7 Jun 2000 11:55:46 -0400 (EDT)
Subject: Re: Call for arbitrage [Fwd: Re: ports/19047: net/arpwatch patched 
 to use  tmpfile() instead of mktemp()]
To: Kris Kennaway <kris@FreeBSD.org>
Cc: sobomax@FreeBSD.org, freebsd-ports@FreeBSD.org
In-Reply-To: <Pine.BSF.4.21.0006070337500.66450-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/plain; CHARSET=US-ASCII
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On  7 Jun, Kris Kennaway wrote:
= I  believe  the  question  is  whether tmpfile()  should  be  used  in
= preference to mkstemp().
=
= On  FreeBSD, either  tmpfile()  or mkstemp()  have identical  security
= properties  (tmpfile() in  fact  calls mkstemp()  internally), but  as
= stated  in  the  manpage,  on other  platforms  tmpfile()  is  broken.
= Therefore, my recommendation is to use something like:
 
= int fd;
= FILE *fp;
= 
= if ((fd = mkstemp(foo)) == -1) {
= 	err(1, "mkstemp");
= } else {
= 	unlink(fd);
= }
= if ((fp = fdopen(fd, "w+")) == NULL)
= 	err(1, "fdopen");
= 
= ...

Thank  you, Kriss,  for agreeing  to  moderate, but  your suggestion  in
itself is not applicable:

	SYNOPSIS
 	      #include <unistd.h>

  	     int unlink(const char *pathname);

Yes, it  is possible to  use mkstemp instead of  tmpfile and it  is even
simpler then  what you wrote. However,  I continue to believe,  that the
direct use  of tmpfile  is even  simpler (no  separate calls,  no string
templates, no  separate error checks),  makes the code nicer  and avoids
duplicating  in the  arpwatch's report()  what  is already  done in  the
FreeBSD's tmpfile(). In fact, even  if arpwatch used the mkstemp/fdopen,
I'd advocate changing that to tmpfile for this reasons.

= This  method  is   portable  across  platforms,  and   can  safely  be
= reintegrated by the software author.

The use of tmpfile is no less portable then the use of err :-). At least
tmpfile _exists_  on other systems,  even if it  is not really  a secure
solution  on some  of  them  (which ones?  is  arpwatch  even ported  to
others?)

Personally, I  think the authors should  not bother with the  tmpfile at
all and  simply write to  the stdin of the  execed sendmail --  like the
vacation(1) is doing.

However, I'm glad I  was able to spot the ld's warning  about the use of
mktemp and will now rest. The submitted patch works and is secure on all
of the  BSDs -- the  users of the  ports tree. The  arpwatch maintainers
will create their own anyway, I suspect.

I'm sorry, but my silly ego  prevents me from offering any modifications
to achieve a compromise I don't see needed.

Sincerely,

	-mi




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message