On Tue, Jan 30, 2007 at 09:44:06AM -0500, Zachary P. Landau wrote: > withTemp :: (String -> IO a) -> IO a > withTemp = bracket get_empty_file removeFileMayNotExist > - - where get_empty_file = do (h,f) <- mkstemp "darcs" > + where get_empty_file = do tmpdir <- tempdir_loc > + (h,f) <- mkstemp (tmpdir ++ "darcs") > hClose h > return f
This change would introduce temporary file creation bugs. We currently rely on withTemp by default creating files in a non-world-writeable directory in order to avoid the need to audit all our tempfile creation code. If we introduced this change, we'd have to go through and also audit both every use of withTemp, and the code of withTemp itself, if we wanted to regain the current level of security. And these audits would need to be done by someone who is more competent than me. So far as I know, there's no secure way to pass a temp file generated in /tmp to an exec'ed program that requires it as a command-line parameter. It's just a whole can of worms. I'm sure it doesn't matter to most of our users, but some fraction I'm sure use darcs on trusted systems that allow untrusted users to simultaneously run, and we don't want those users to be able to modify the execution of darcs in any way. I don't mean there's no solution, but that I am not aware of a solution, and will want to have the assurance of someone with experience that we aren't shooting ourselves in the foot. Actually, now that I think about it, I suspect that withTemp is inherently insecure, based on what I know, if the temp file is created in /tmp. My understanding is that any use of a filename in /tmp is a bug, and of course withTemp only allows use of the filename. I don't know all the tricks that can be used to take advantage of insecure temp file handling, but that's my understanding. Which is why we don't use /tmp for most of our temp files. -- David Roundy Department of Physics Oregon State University
signature.asc
Description: Digital signature
_______________________________________________ darcs-devel mailing list [email protected] http://lists.osuosl.org/mailman/listinfo/darcs-devel
