Re: [Pkg-grass-general] Re: [GRASS bug #2877] Insecure tempfile creation
Hamish,
This page describes a way to create a secure tmp directory where you can
create tmp files without worrying about their names:
http://www.linuxsecurity.com/content/view/115462/151/#mozTocId316364
Regards,
Steve
On Fri, 2005-01-28 at 12:54 +1300, Hamish wrote:
> > > Just an update re. less-insecure tempfiles ..
>
> almost done now. The g.tempfile module didn't need to be changed.
>
>
> Maybe someone can help me with this one:
> lib/db/stubs/BUILD.PROTO
>
> It's fairly simple but I'm at a loss as to how to fix it.
>
> a) store multiline data as a shell environmental variable?
> No idea how to do that well.
> -- hey, there's no #!/bin/sh ? beware csh setenv etc.
>
> b) store temporary file in `pwd` which is the build dir? (& therefore
> always writeable by the user)
> -- i.e. make first line "tmp=build_proto_tmp.$$"
>
>
> As this is only used during build time it isn't a vulnerability
> in the end package, but still would be nice to fix.
>
>
>
> ==================================
>
> tmp=/tmp/$$
> rm -f $tmp
> make.proto *.c > $tmp
> awk '/^#undef/{next}/^ *#/{print}' $tmp
> echo ""
> cat $tmp | \
> awk '/^struct /{print "REMOVED:" $0 > "/dev/tty"; next}{print}' | \
> awk '/db_/ {printf "%s %s",$2,$1
> for (i=3; i<=NF; i++) printf (" %s", $i)
> print ""
> }' | \
> sort -d | \
> awk '{type = $2}
> {name = $1}
> name ~ /^\*/ {type = type " *"; name = substr(name,2,length(name))}
> {printf ("%-5s %-25s",type,name)
> for (i=3; i<=NF; i++) printf (" %s", $i)
> print ""
> } '
> echo ""
> awk '/^#undef/{print}' $tmp
> rm -f $tmp
>
> ====================================
>
>
>
> thanks,
> Hamish
>
> _______________________________________________
> Pkg-grass-general mailing list
> Pkg-grass-general@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-general
Reply to: