Re: [gmail] Re: sponsor quake3 quake3-data packages
On Thu, Nov 10, 2005 at 02:31:09PM +0100, Marc Leeman wrote:
> > (most of these problems are probably inherited from the quake2
> > packaging you used). You will have to fix most of these before
> > someone should sponsor the package.
>
> > W: quake3-data: possibly-insecure-handling-of-tmp-files-in-maintainer-script postinst:225
>
> I use /tmp/ for the place to download the point and demo files. This
> used to be /root/. Since I do not think temporary installs should be
> dl'd there, I moved them to tmp. The extraction of the file is done in a
> dir with tempfile. I could move this one level deeper and again use
> tmpfile, but from a functional point of view, this does not change much,
> especially since the warning only kicks in when the default from
> templates is emptied out in the user interaction.
Lintian is right, if for the wrong reason.
tempdir() {
_TEMPDIR=`tempfile --directory $1 --prefix quake3-data`
# kill off fresh tempfile
rm $_TEMPDIR
mkdir $_TEMPDIR
echo $_TEMPDIR
}
That is a tag + security race condition between rm and mkdir. You'll
want to use mktemp -d instead.
I didn't look at your script closely; there may be other problems.
Nothing should ever get written to /tmp/ except if the output filename
is the result of a successful ($?==0) call to mktemp or tempfile.
--
Clear skies,
Justin
Reply to: