Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
On Sun, Jan 05, 2003 at 01:55:24PM -0500, Matt Zimmerman wrote:
> > I don't have a good suggestion for how to fix tempfile properly, other
> > than for it to test the directory and to fail if these conditions are
> > not properly met.
>
> tempfile is fine, and trying to check this properly is a lot of trouble for
> minimal gain. Consider that it must check permissions _and ownership_ for
> every parent directory leading up to the root in order to be sure, and even
> then there is no realistic test. World writability? Sticky bit? Group
> writability? What if the group only contains administrators, and they
> require write access to (e.g.) the directory which contains home
> directories?
>
> > I'm going to send this on to security.
>
> Send it as you like, but tempfile is not buggy here.
Oh, OK, I'm learning ;-)
Thanks.
Julian
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Julian Gilbey, website: http://www.polya.uklinux.net/
Debian GNU/Linux Developer, see: http://people.debian.org/~jdg/
Visit http://www.thehungersite.com/ to help feed the hungry
Reply to: