Re: [GRASS5] Re: [Pkg-grass-general] r.terraflow ?
Hamish wrote:
> > > > Isn't r.terraflow modul added to grass6 (installed as debian
> > > > package).
> > >
> > > No. There is an outstanding security issue that precludes it from
> > > being part of the Debian package. (insecure temp files)
> > >
> > > See /usr/share/doc/grass/changelog.Debian.gz
> >
> > What's keeping us from patching r.terraflow then? I'm guessing it's
> > probably swapping one libc function for another, no?
>
>
> Not very much, just needs to be changed to use a directory created with
> G_tempfile() or tmpfile() instead of /var/tmp/ by default for the
> STREAM_DIR= option.
>
> G_tempfile() creates a temporary file in the users' mapset repository,
> e.g. $MAPSET/.tmp/$HOSTNAME/12345.0
>
> Just need to remove that file, mkdir something of the same name &
> cleanup when done?
>
> G_tempfile() is found in the grass source in lib/gis/tempfile.c
>
> Alternatively & maybe better use tmpfile(). G_tempfile() & usage
> rules may be in flux in the near future, please read this thread:
> http://thread.gmane.org/gmane.comp.gis.grass.devel/8065
The simplest approach is likely to be to use the session directory
/tmp/grass6-<user>-<pid>. That should be writable only by its owner.
So long as that directory is created securely, we don't need to worry
about creating files inside it. At least, not from a security
standpoint; race conditions could still be an issue for background
processes.
--
Glynn Clements <glynn@gclements.plus.com>
Reply to: