<<< Date Index >>>     <<< Thread Index >>>

Re: [PATCH] Squelch compiler warnings



On Sat, Nov 06, 2010 at 12:47:02AM +0100, Moritz Barsnick wrote:
> On Fri, Nov 05, 2010 at 11:28:32 +0100, Vincent Lefevre wrote:
> > On 2010-11-04 18:41:55 +0530, Ramkumar Ramachandra wrote:
> > > * Replace several 'mktemp' with safer 'mkstemp' alternative.
> > But there is a difference in case of error. According to the man pages,
> 
> The reasoning for using mktemp vs. mkstemp was described in Msg-ID
> <20060817052317.GA4059@robert>[*] in August 2006 by good old Rocco (God
> bless his soul), after I had actually asked.  :)  It didn't sound like
> it was intended to be replaced. (Yes, that was a "get rid of warnings"
> sub-thread back then. Déjà vu?)

Rocco is right, of course.  Although, there *is* a way to do this
safely, if I'm not mistaken...  

1. Call mkstemp() to create and open your tmp file safely
2. append the desired suffix to the resulting name
3. call link() to create the new name (a hard link)
4. write the file as you would using the file descriptor you got from
   mkstemp()
5. unlink the name returned by mkstemp(), leaving only the desired
   name with its extension

NOTES:

The call to link() guarantees that the resulting name did not exist,
if it succeeds.  If it does not, you do have to decide how to handle
the error (safest thing to do is unlink the temp file created and
start again -- but there should be some loop detection to detect a
DoS).  For maximum security, you MUST use the file descriptor returned
by mkstemp(), and DO NOT reopen the file to get a new file descriptor.
However unlikely, it's possible due to a race condition that an
attacker could have found your new temp file and removed/renamed it
before you re-open it.

Glancing at the patch (and not the code), it looks to me like in some
cases, the thing being created is a directory, not a file.  In that
case, I believe there's actually no need to bother with all this
chicanery.  Just use mkdtemp() directly and modify the code suitably.

In any event, the patch is no good, because as Vincent points out, the
interfaces of mktemp and mkstemp are incompatible, and the code which
uses each must be different.  If the thing being created is a file and
nothing goes wrong, it will sort of work... but otherwise it's broken,
sometimes giving a file when a directory was needed, and giving bad
results whenever an error condition occurs.  Unless I missed
something, the approach above should both eliminate the warning (and
the associated security weakness) and actually work. =8^)

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.

Attachment: pgpnm9YM7wS5U.pgp
Description: PGP signature