Rogier Wolff wrote: > > > > This was not intentional by the author, he tried to use tempfile(1) to > > > > create the temporary filename. However, due to a thinko, the name was > > > > hardcoded into the script. > > > [...] > > > > +#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$" > > > > > > So now you're using tempfile? This usually yields an easily > > > > No, but now we're using tempfile in a proper way. In the original source > > code it was used like: > > > > NNTPactive=`tempfile -p active` > > This is what I meant. You've made it just a teeny bit harder to exploit, > but the same expoit is still there. > > 10 years ago, this solution would've been adequate. Nowadays everbody > should know that this is very hard to get right. Mover the "bad guys" > already have the exploit programs ready. > > Creating a tempfile from a C program is possible since we have a > mkstmp call. It is sufficiently tricky that I wouldn't dare I'm sorry, but I don't understand. tempfile is a C program that creates a tempfile. DESCRIPTION tempfile creates a temporary file in a safe manner. It uses tempnam(3) to choose the name and opens it with O_RDWR | O_CREAT | O_EXCL. The filename is printed on standard output. > replicating the functionality myself. Creating a private directory in > /tmp and putting the tempfiles in there might be the only solution for > shell scripts. In which case you only make things more difficult to exploit, since such a directory would be guessable as well as a tempfilename would, same for the file inside of it. Regards, Joey -- Whenever you meet yourself you're in a time loop or in front of a mirror.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:58:28 PDT