[gopher] Re: Security problems in gopherd (Was Security alert)

To: gopher@complete.org
Subject: [gopher] Re: Security problems in gopherd (Was Security alert)
From: David Allen <s2mdalle@titan.vcu.edu>
Date: Thu, 18 Jan 2001 19:30:56 -0500
Message-id: <[🔎] 20010118193056.A8805@mothra>
Reply-to: gopher@complete.org
In-reply-to: <[🔎] 87ely1jsh6.fsf@complete.org>; from jgoerzen@complete.org on Thu, Jan 18, 2001 at 01:15:49AM -0500
References: <[🔎] 20010117181031.A16810@mothra> <[🔎] 87ely1jsh6.fsf@complete.org>

On Thu, Jan 18, 2001 at 01:15:49AM -0500, John Goerzen wrote:
> 
> One option would be to create a directory in /tmp, mode 0700, and put
> all files in it.  This would allow the more-portable tempnam() to
> continue to be used.  In the course of auditing sprintf()s, I did come
> across one or two open() calls for /tmp files and added O_EXCL to the
> list as a temporary measure...
> 
> -- John

I just added the mktmpdir() function in serverutil.c to create this
directory.  Take a look at it and tell me if I'm missing anything
(since I'm not up on security as much as I should be)

If everything is kosher, I'll change those tmpnam calls to use this
directory.  Is there a clean way to do this other than adding another
entry to globals.h?  (I really hate globals like ASKfile and Gticket
where it's hard to figure out what the scope of the damage is going to
be if you change a call where they are involved)

-- 
David Allen
http://opop.nols.com/

Reply to:

References:
- [gopher] Security problems in gopherd (Was Security alert)
  - From: David Allen <s2mdalle@titan.vcu.edu>
- [gopher] Re: Security problems in gopherd (Was Security alert)
  - From: John Goerzen <jgoerzen@complete.org>

Prev by Date: [gopher] Re: ANN: Gopher Comprehensive Index
Next by Date: [gopher] optimised V-2 search
Previous by thread: [gopher] Re: Security problems in gopherd (Was Security alert)
Next by thread: [gopher] optimised V-2 search
Index(es):
- Date
- Thread