What does linda mean here?
Hi,
when run on the package I want to adopt, netenv, linda complains:
W: netenv; Maintainer script postinst may use temp files insecurely.
The maintainer script listed above may use temporary files insecurely,
such as writing to the same file in /tmp, or not checking if said file
exists before blowing it away.
How can I find out what linda could mean? As far as I can see, no
tempfiles are used in the postinst. There are two occurences of "tmp",
but that's just when cleaning up for old files that shouldn't be
there. So this is o.k., but adding overrides for these didn't make linda
silent (see below for details).
So obviously linda sees a different problem that I overlooked. How can I
find out what this is?
Any help would be appreciated.
Thanks, Frank
==============
Appendix: Details
This is what I tried with overrides, I think they're o.k.?
Tag: insecure-tmp-handling
Data: /var/tmp/netenv.*
Tag: insecure-tmp-handling
Data: .*netenv.tmp.*
and in postinst:
***********************p
# clean up for old bug
find /etc/netenv \( -name "dialo*" ! -name "*-*" \) -o \( -name "netenv.tmp.*" \) -exec rm -f {} \;
# clean up temporary file of version 0.82
if [ -f /etc/netenv/netenv ]; then
cat > /etc/netenv/netenv <<EOF
This file is no longer used or updated; you can
safely remove it.
Please refer to the tempfile
/var/tmp/netenv*
EOF
***********************
I've tried to have a look at linda's source. However, I don't know
python at all, so I don't understand. It seems the main piece of code is
the following:
if re.search('^\s*(/var)?/tmp/\w', k) and \
k.find('mktemp') == k.find('tempfile') == \
k.find('mkdir') == -1:
things_found['tmp'] = 1
The re.search probably matches the /var/tmp/netenv line in the
here-document, and if k.find means whether any of the arguments is there
(and -1 that all are not), it should be that line. That would match the
second occurence of tmp below, but then why does the override not work?
--
Frank Küster, Biozentrum der Univ. Basel
Abt. Biophysikalische Chemie
Reply to: