[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#20241: Timezones should depend on debian-utils

Manoj Srivastava wrote:
>  (though my toruous shell script can serve to be a poor mans
>  tempfile if tempfile is not available.)

Not on my system, it can't! It has a race condition. As you yourself said:

> The non-tempfile           
> solution is not quite as safe (since a link maybe created ater we              
> test for existence and before we create an empty file, or after we             
> remove and before we create the empty file, but those windows are              
> relatively small.

Yes, you have a race condition there. And yes, similar race conditions have
been successfully exploited. It doesn't matter how small the window is.

A safe way to make a /tmp file:

mkdir /tmp/tmpdir || {
	# You can replace this with something else if you like, perhaps
	# something that tries another directory name.
        echo unable to create temporary directory. Giving up.
        exit 1
}
tmpfile=/tmp/tmpdir.$$/tmpfile

mkdir will abort if /tmp/tmpdir.$$ alreay exists, and is atomic so it cannot
be raced. (Warning: I am not a security expert. However, I've seen this
explained several times in the past and I'm pretty sure this is the proper
way to do it.)

-- 
see shy jo


--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: