Date: Mon, 15 May 2000 21:40:03 -0700 (PDT) From: Tim Vanderhoek <tim@localhost.nowhere> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/16929: [PATCH] prevent possible race condition Message-ID: <200005160440.VAA45746@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/16929; it has been noted by GNATS. From: Tim Vanderhoek <tim@localhost.nowhere> To: freebsd-gnats-submit@FreeBSD.org, spock@techfour.net Cc: vanderh@ecf.toronto.edu Subject: Re: bin/16929: [PATCH] prevent possible race condition Date: Tue, 16 May 2000 00:36:58 -0400 (EDT) > >sort can create the following predictable tempfiles: >/tmp/sort{pid}{seq} It appears that the security implications of this have already been fixed in rev.1.11 of src/gnu/usr.bin/sort/sort.c. > Fix > >Since sort can create many tempfiles, we should leave it's current >naming scheme alone, rather create a secure dir in TMP with mkdtemp(3), >and let sort dumps it's file in there. > >Apply the following patch, sorry there might be whitespace bugs =( > >Index: gnu/usr.bin/sort/sort.c >=================================================================== >RCS file: /home/ncvs/src/gnu/usr.bin/sort/sort.c,v >retrieving revision 1.15 >diff -u -r1.15 sort.c >--- sort.c 1999/04/25 22:14:05 1.15 >+++ sort.c 2000/02/23 06:45:13 >@@ -171,6 +171,8 @@ > > /* Prefix for temporary file names. */ > static char *temp_file_prefix; >+/* Temporary dir for temp files, *with* above prefix */ >+static char *temp_dir = NULL; > > /* Flag to reverse the order of all comparisons. */ > static int reverse; >@@ -288,6 +290,9 @@ > > for (node = temphead.next; node; node = node->next) > unlink (node->name); >+ if( temp_dir ) >+ rmdir(temp_dir); >+ > } > > /* Allocate N bytes of memory dynamically, with error checking. */ >@@ -413,6 +418,7 @@ > } > } > >+#define DIR_TEMPLATE "sortXXXXXXXXXX" > /* Return a name for a temporary file. */ > > static char * >@@ -420,15 +426,29 @@ > { > static unsigned int seq; > int len = strlen (temp_file_prefix); >- char *name = xmalloc (len + 1 + sizeof ("sort") - 1 + 5 + 5 + 1); >+ char *name=xmalloc(len + 1 + sizeof(DIR_TEMPLATE)-1 + 1 + sizeof("sort")-1 + > 5 + 5 + 1); > struct tempnode *node; > > node = (struct tempnode *) xmalloc (sizeof (struct tempnode)); >+ if( !temp_dir ) >+ { >+ temp_dir = xmalloc( len + 1 + sizeof(DIR_TEMPLATE) ); >+ sprintf(temp_dir, >+ "%s%s%s", >+ temp_file_prefix, >+ (len && temp_file_prefix[len - 1] != '/') ? " >/" : "", >+ DIR_TEMPLATE); >+ if( mkdtemp(temp_dir) == NULL ) >+ { >+ error(0, errno, _("can't make temp dir")); >+ exit(2); >+ } >+ } >+ > sprintf (name, >- "%s%ssort%5.5d%5.5d", >- temp_file_prefix, >- (len && temp_file_prefix[len - 1] != '/') ? "/" : "", >- (unsigned int) getpid () & 0xffff, seq); >+ "%s/sort%5.5d%5.5d", >+ temp_dir, >+ (unsigned int) getpid () & 0xffff, seq); > > /* Make sure that SEQ's value fits in 5 digits. */ > ++seq; > > > [4]Submit Followup > _________________________________________________________________ > > > [5]www@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005160440.VAA45746>