[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [GRASS5] Re: [Pkg-grass-general] r.terraflow ?



Hamish wrote:

> > > > Isn't r.terraflow modul added to grass6 (installed as debian
> > > > package).
> > > 
> > > No. There is an outstanding security issue that precludes it from
> > > being part of the Debian package. (insecure temp files)
> > > 
> > > See /usr/share/doc/grass/changelog.Debian.gz
> > 
> > What's keeping us from patching r.terraflow then? I'm guessing it's
> > probably swapping one libc function for another, no?
> 
> 
> Not very much, just needs to be changed to use a directory created with
> G_tempfile() or tmpfile() instead of /var/tmp/ by default for the
> STREAM_DIR= option.
> 
> G_tempfile() creates a temporary file in the users' mapset repository,
> e.g. $MAPSET/.tmp/$HOSTNAME/12345.0
> 
> Just need to remove that file, mkdir something of the same name & 
> cleanup when done?
> 
> G_tempfile() is found in the grass source in lib/gis/tempfile.c
> 
> Alternatively & maybe better use tmpfile(). G_tempfile() & usage 
> rules may be in flux in the near future, please read this thread:
>   http://thread.gmane.org/gmane.comp.gis.grass.devel/8065

The simplest approach is likely to be to use the session directory
/tmp/grass6-<user>-<pid>. That should be writable only by its owner. 
So long as that directory is created securely, we don't need to worry
about creating files inside it. At least, not from a security
standpoint; race conditions could still be an issue for background
processes.

-- 
Glynn Clements <glynn@gclements.plus.com>



Reply to: