Date: Mon, 15 May 2000 21:40:03 -0700 (PDT) From: Tim Vanderhoek <tim@localhost.nowhere> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/16929: [PATCH] prevent possible race condition Message-ID: <200005160440.VAA45746@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/16929; it has been noted by GNATS.
From: Tim Vanderhoek <tim@localhost.nowhere>
To: freebsd-gnats-submit@FreeBSD.org, spock@techfour.net
Cc: vanderh@ecf.toronto.edu
Subject: Re: bin/16929: [PATCH] prevent possible race condition
Date: Tue, 16 May 2000 00:36:58 -0400 (EDT)
>
>sort can create the following predictable tempfiles:
>/tmp/sort{pid}{seq}
It appears that the security implications of this have already been
fixed in rev.1.11 of src/gnu/usr.bin/sort/sort.c.
> Fix
>
>Since sort can create many tempfiles, we should leave it's current
>naming scheme alone, rather create a secure dir in TMP with mkdtemp(3),
>and let sort dumps it's file in there.
>
>Apply the following patch, sorry there might be whitespace bugs =(
>
>Index: gnu/usr.bin/sort/sort.c
>===================================================================
>RCS file: /home/ncvs/src/gnu/usr.bin/sort/sort.c,v
>retrieving revision 1.15
>diff -u -r1.15 sort.c
>--- sort.c 1999/04/25 22:14:05 1.15
>+++ sort.c 2000/02/23 06:45:13
>@@ -171,6 +171,8 @@
>
> /* Prefix for temporary file names. */
> static char *temp_file_prefix;
>+/* Temporary dir for temp files, *with* above prefix */
>+static char *temp_dir = NULL;
>
> /* Flag to reverse the order of all comparisons. */
> static int reverse;
>@@ -288,6 +290,9 @@
>
> for (node = temphead.next; node; node = node->next)
> unlink (node->name);
>+ if( temp_dir )
>+ rmdir(temp_dir);
>+
> }
>
> /* Allocate N bytes of memory dynamically, with error checking. */
>@@ -413,6 +418,7 @@
> }
> }
>
>+#define DIR_TEMPLATE "sortXXXXXXXXXX"
> /* Return a name for a temporary file. */
>
> static char *
>@@ -420,15 +426,29 @@
> {
> static unsigned int seq;
> int len = strlen (temp_file_prefix);
>- char *name = xmalloc (len + 1 + sizeof ("sort") - 1 + 5 + 5 + 1);
>+ char *name=xmalloc(len + 1 + sizeof(DIR_TEMPLATE)-1 + 1 + sizeof("sort")-1 +
> 5 + 5 + 1);
> struct tempnode *node;
>
> node = (struct tempnode *) xmalloc (sizeof (struct tempnode));
>+ if( !temp_dir )
>+ {
>+ temp_dir = xmalloc( len + 1 + sizeof(DIR_TEMPLATE) );
>+ sprintf(temp_dir,
>+ "%s%s%s",
>+ temp_file_prefix,
>+ (len && temp_file_prefix[len - 1] != '/') ? "
>/" : "",
>+ DIR_TEMPLATE);
>+ if( mkdtemp(temp_dir) == NULL )
>+ {
>+ error(0, errno, _("can't make temp dir"));
>+ exit(2);
>+ }
>+ }
>+
> sprintf (name,
>- "%s%ssort%5.5d%5.5d",
>- temp_file_prefix,
>- (len && temp_file_prefix[len - 1] != '/') ? "/" : "",
>- (unsigned int) getpid () & 0xffff, seq);
>+ "%s/sort%5.5d%5.5d",
>+ temp_dir,
>+ (unsigned int) getpid () & 0xffff, seq);
>
> /* Make sure that SEQ's value fits in 5 digits. */
> ++seq;
>
>
> [4]Submit Followup
> _________________________________________________________________
>
>
> [5]www@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005160440.VAA45746>