[email protected] (Ludovic Courtès) writes: > Hello, > > tests/syslogd.sh requires a writable /tmp.
Looking further at that test, it seems buggy from another point of view as well: the filenames are prone to a race condition when two or more InetUtils instances is built at the same time. The filenames used are: # This good name base consumes twentythree chracters. IU_GOOD_BASE=/tmp/$(date +%y-%m-%d)_socket_iu # Add a single character to violate the size condition. IU_BAD_BASE=/tmp/X$(date +%y-%m-%d)_socket_iu Further, having predictable filenames has often been used by non-root users to mount a privilege-escalation attack (just wait until the root user runs the script), but I haven't reviewed the script if it has this problem as well. Normal practice is to use 'mktemp'. > The workaround I’ve used in Guile is to cd $TMPDIR, create ./my-socket, > and use that. I would prefer a mktemp+cd approach. It is the most secure, follows best practices, and is the most portable. /Simon
