This is the mail archive of the
insight@sources.redhat.com
mailing list for the Insight project.
Re: Fwd: insight connect window launching issues
- To: Niraj Gupta <ngupta at zumanetworks dot com>
- Subject: Re: Fwd: insight connect window launching issues
- From: Keith Seitz <keiths at cygnus dot com>
- Date: Fri, 6 Jul 2001 08:18:24 -0700 (PDT)
- cc: Insight Maling List <insight at sources dot redhat dot com>
On Thu, 5 Jul 2001, Niraj Gupta wrote:
> here is the additional info
>
> src/tcl/unix/tclUnixPipe.c:188: the use of `tmpnam' is dangerous, better use
> `mkstemp'
Linux manpage on tmpnam says "Never use this function. Use mkstemp(3)
instead."
The Solaris page says nothing (other than the multi-threaded app warning).
The OpenBSD manpage, though, says:
tmpnam() and tempnam() are provided for System V and ANSI compatibility
only. These interfaces are typically not used in safe ways. The mk-
stemp(3) interface is strongly preferred.
There are four important problems with these interfaces (as well as with
the historic mktemp(3) interface). First, there is an obvious race be-
tween file name selection and file creation and deletion: the program is
typically written to call tmpnam(), tmpname(), or mktemp(3). Subsequent-
ly, the program calls open(2) or fopen(3) and erroneously opens a file
(or symbolic link, or fifo or other device) that the attacker has placed
in the expected file location. Hence mkstemp(3) is recommended, since it
atomically creates the file.
Second, most historic implementations provide only a limited number of
possible temporary file names (usually 26) before file names will start
being recycled. Third, the System V implementations of these functions
(and of mktemp) use the access(2) function to determine whether or not
the temporary file may be created. This has obvious ramifications for
daemons or setuid/setgid programs, complicating the portable use of these
interfaces in such programs. Finally, there is no specification of the
permissions with which the temporary files are created.
This implementation does not have these flaws, but portable software can-
not depend on that.
For these reasons, ld(8) will output a warning message whenever it links
code that uses the functions tmpnam() or tempnam().
I don't think it's too big a deal, but in the interests of all, I will
send a note out to some of the maintainers/contributors and see what they
say. If they choose to act is up to them.
Thanks for the pointer.
Keith