Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 15 Feb 2007 10:29:42 -0600
From:      Dan Nelson <dnelson@allantgroup.com>
To:        Thomas Dickey <dickey@radix.net>
Cc:        FreeBSD - Questions <freebsd-questions@freebsd.org>
Subject:   Re: Ksh Shell script security question.
Message-ID:  <20070215162942.GB1716@dan.emsphone.com>
In-Reply-To: <20070215111355.GA17348@saltmine.radix.net>
References:  <ba29b9b40702141608p57e63b4bg757f57acd33b0dcf@mail.gmail.com> <20070215045712.GA1716@dan.emsphone.com> <20070215111355.GA17348@saltmine.radix.net>

next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Feb 15), Thomas Dickey said:
> On Wed, Feb 14, 2007 at 10:57:12PM -0600, Dan Nelson wrote:
> > In the last episode (Feb 14), Dak Ghatikachalam said:
> > > I am am puzzled how to secure this code when this shell script is
> > > being executed.
> > > 
> > > ${ORACLE_HOME}/bin/sqlplus -s  <<EOF | tee -a  ${RESTOREFILE}
[...]
> > > EOF
> > > 
> > > When I run this code from shell script in /tmp directory it spews
> > > file called /tmp/sh03400.000 in that I have this entire code
> > > visible.
> > 
> > I bet if you check the permissions you'll find the file has mode
> > 0600, which means only the user running the script can read the
> > file (at least that's what a test using the pdksh port does on my
> > system).  ksh93 does have a problem, though: it opens a file and
> > immediately unlinks it, but the file is world-readable for a short
> > time.
> 
> Doesn't it (ksh93, etc) pay attention to umask?
> If it does, the script should use that feature.

It does honor umask, but I think temp files should be created mode 0600
in all cases.  A person may have a umask of 022 to allow normal files
to be read by group members but still not want them to see
here-document contents.  They may not even realize that their shell is
using tempfiles.  Some shells use pipes (bash and ash do; zsh uses an
0600 tempfile that it immediately unlinks; Solaris sh uses an 0600
tempfile).
 
> > Both ksh variants honor the TMPDIR variable, though, so if you create a
> > ~/tmp directory, chmod it so only you can access it, then set
> > TMPDIR=~/tmp , you will be secure even if you're using ksh93.
> 
> relatively (it's not a given that people haven't opened up ~/tmp)

I think if someone has gone to the trouble of creating a private ~/tmp
directory, they probably know what they're doing and know the
consequences of opening it up.

-- 
	Dan Nelson
	dnelson@allantgroup.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070215162942.GB1716>