> My concern is just that my understanding of how to properly use mkstemp() > and tmpfile() is that you can't close the file or rely on its name, both of > which we need to do in order to interface with external programs. > > > I don't mean to sound like I'm set on using /tmp (or tmpfile()). But it > > would provide a clean solution to the temp file problem, so I don't want > > to disregard it unless there really is a valid reason to avoid it. > > A clean solution would certainly be nice... I just don't see a solution, > unless it's just that "once you've created a file in /tmp, you can do > whatever you like with it, as long as you don't delete it, and you're still > safe from attack". If that sentence were true, we'd be fine using /tmp > with mkstemp() using the $TMPDIR (or just /tmp)---I still don't see how we > could use tmpfile().
I've just skimmed over http://tldp.org/HOWTO/Secure-Programs-HOWTO/avoid-race.html a bit. There do appear to be reasons why you can't securely use mkstemp and then close the file. I'll read more details into that tonight. But the general idea seems to be that that are a lot more issues with /tmp then just the basic race condition with regard to the filename. That page does start going into ways you can avoid using mkstemp and still be secure, but it looks tricky. And tricky usually means that we will make a mistake somewhere and there will be a security flaw. So I think you are justified in avoiding /tmp. I hereby concede. I do still like the fallback of using $HOME/.darcs/tmp if we fail every other method we have of getting a valid directory. If we can all agree on that, I'll whip up a patch to implement that. -- Zachary P. Landau <[EMAIL PROTECTED]> GPG: gpg --recv-key 0xC9F82052 | http://divineinvasion.net/kapheine.asc
signature.asc
Description: Digital signature
_______________________________________________ darcs-devel mailing list darcs-devel@darcs.net http://lists.osuosl.org/mailman/listinfo/darcs-devel
