Re: [PATCH] Use an unique temporary multistrap file and remove it afterwards

To: Geert Stappers <stappers@stappers.nl>
Cc: Johannes Schauer <j.schauer@email.de>, debian-embedded@lists.debian.org
Subject: Re: [PATCH] Use an unique temporary multistrap file and remove it afterwards
From: Yann Dirson <dirson@debian.org>
Date: Sat, 25 Jun 2011 18:20:17 +0200
Message-id: <[🔎] 20110625162017.GE2973@home.lan>
In-reply-to: <[🔎] 1308950396-25398-1-git-send-email-stappers@stappers.nl>

> With adding the Process ID to the temporary multistrap configuration file
> makes it unique. This allows multiple invocations on the same time.
> For multi user system as Linux is, is this important.
> 
> Also is the temp file deleted after usage.

While it is better than the original, it still allows for attacks -
using a predictable filename in /tmp is always a security issue, and
even the PID does make it imune to attacks (google for "tmp symlink
attack" for details).

Please consider using tempfile(1) for safely getting a temporary file.

Best regards,
-- 
Yann

Reply to:

Follow-Ups:
- Re: [PATCH] Use an unique temporary multistrap file and remove it afterwards
  - From: Johannes Schauer <j.schauer@email.de>

References:
- [PATCH] Use an unique temporary multistrap file and remove it afterwards
  - From: Geert Stappers <stappers@stappers.nl>

Prev by Date: Re: polystrap /lib/ld-linux.so.3: No such file or directory
Next by Date: Re: polystrap /lib/ld-linux.so.3: No such file or directory
Previous by thread: [PATCH] Use an unique temporary multistrap file and remove it afterwards
Next by thread: Re: [PATCH] Use an unique temporary multistrap file and remove it afterwards
Index(es):
- Date
- Thread