On Wed, Feb 07, 2007 at 07:20:13PM +0100, Juliusz Chroboczek wrote: > >> I think most /tmp dirs have the t-flag set, which means you must > >> be the owner of a file to delete it from the directory. In those > >> cases it seems safe, but I don't know for certain. > > I'd formulate it in a different manner. Using /tmp is most certainly > safe on sane Linux and BSD systems. It's anyone guess what happens on > other OSes. > > In other words -- unless there's someone here who fully understands > the semantics of the sticky bit on Solaris and HP/UX, it's not a can > of worms we want to open.
I wonder if instead we should be using tmpfile(). The Linux manpage for it says that it conforms to POSIX.1-2001, so I would hope the other OSes will implement it correctly. The other benefit is that tmpfile() will determine the directory to use. If some OS for some reason doesn't have a secure /tmp, then it might provide another directory for tmpfile to use. I guess my main issue is that if calls like mkstemp() and tmpfile() are meant for securely creating temporary files and an OS does not implement it correctly, darcs will only be one of the many applications that will be susceptible to attack. The issue at that point would be the security of the OS, not of an application. Sure a workaround for applications could be made, but that feels like a hack around a bigger problem. I don't mean to sound like I'm set on using /tmp (or tmpfile()). But it would provide a clean solution to the temp file problem, so I don't want to disregard it unless there really is a valid reason to avoid it. -- Zachary P. Landau <[EMAIL PROTECTED]> GPG: gpg --recv-key 0xC9F82052 | http://divineinvasion.net/kapheine.asc
signature.asc
Description: Digital signature
_______________________________________________ darcs-devel mailing list darcs-devel@darcs.net http://lists.osuosl.org/mailman/listinfo/darcs-devel
