[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug#286392: autopoint: Insecure temporary directory usage
|
From: |
Martin Schulze |
|
Subject: |
Re: Bug#286392: autopoint: Insecure temporary directory usage |
|
Date: |
Thu, 23 Dec 2004 10:01:14 +0100 |
|
User-agent: |
Mutt/1.5.6+20040907i |
Javier Fernández-Sanguino Peña wrote:
> > Martin "Joey" Schulze, from the security team, agree with me that this
> > is not really a bug,
>
> I can't comment on that statement since I have not seen that.
Here's what I wrote:
| Na, it's a user-too-stupid-error, rm is also vulnerable if the user
| types rm -rf /. We cannot prevent people from doing that.
> > in the sense that we should not be responsible
> > for the user's own stupidity.
>
> Then I wonder why both tempdir(), tempfile() and mktemp do not honor the
> user's umask and make temporary stuff 0700? There's a simple reason for
> this: race conditions are easy to make work since the contents are
> predictable, that's actually something that does not happen so easily with
> other stuff, I cannot foresee that you will edit a file named abXy.sgml and
> take advantage of this, but I can foresee that when you run utility X the
> application will make a file named X.
Feel free to fix all programs and scripts in sid, but it's not a security
issue in woody or sarge.
Regards,
Joey
--
Open source is important from a technical angle. -- Linus Torvalds
Please always Cc to me when replying to me on the lists.