[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: many scripts fail if /tmp/tempfile.$$ exists -> local DOS vulnerability

Santiago Vila <sanvila@unex.es> wrote:
> Jakob Lell wrote:
>> many shell scripts use tempfiles like /tmp/tempfile.$$. This creates
>> insecure tempfile vulnerabilities. One commonly used fix for this problem
>> is to use set -e or/and set -C in the shell script. [...]

> Debian already has a general fix for that. It's called tempfile and
> it's in package debianutils, which is essential.

There is also mktemp(1) which is able to generate tempory files _and_
directories. Has by chance anybody checked the respective source-codes
and could tell us whether mktemp(1) or tempfile(1) should be prefered
for generating tempory /files/?

Another question: tempfile(1) says:
| Debian packages using tempfile in maintainer scripts must depend on
| debianutils >= 1.6.

tempfile 1.6 was released april 1997, i.e. it was probably included in
Bo, or it for sure in Hamm. Shouldn't this sentence be removed, we
don't support upgrades from Bo or Hamm to potato anyway.
             cu andreas
Hey, da ist ein Ballonautomat auf der Toilette!
Unofficial _Debian-packages_ of latest unstable _tin_

Reply to: