On 2009-11-12 20:52-0000 Andrew Ross wrote: > > Hi Alan, > > Thank's for reminding me about this. To do this right is, as you say, > not trivial. I think we need to write a wrapper function which > we use in the code, and which in turn will use mkstemp or some > windows equivalent.
Agreed. > > Note that your windows "fix" uses mktemp which is itself not > secure. I am no security expert, but I think it is OK. Of course, "man 3 mktemp" says never use it because the name can be too easily guessed making it much easier for crackers in general to win the race and guess the file name (so they can do something insecure with it) before the file is actually opened. On the other hand, there is only a short period of time (nanosecs) for them to win that race with the code at http://www.mail-archive.com/pan-devel%40nongnu.org/msg00294.html because the open occurs right after mktemp is finished. I was going to stop the discussion there because that is probably already good enough security, but then I read further, and it turns out O_EXCL flag is used for the open (which according to "man mkstemp" is what really completely shuts down the security hole). In sum, I think there is complete security ("famous last words...." :-) ) for this Windows variant of mkstemp. > Also, I understand that tmpfile which we use elsewhere in the > code can have some issues. > > Finally, mkstemp does not (as far as I know) add a suitable path on > or honour TMP / TEMP / TMPFILE variables, so we'd need to add code > to support this. I agree we would have to figure out a writeable path for the temporary file. I assume we specify that path as part of the template? > > Hmmm. Why, after all these years, has no-one got this right? > > I see octave does contain a mkstemp function. I am assuming > this is safe and I've replaced tmpnam with mkstemp in these cases, > although the re-use of the file name is not guaranteed secure if tmp > directory cleaners are in use. This is also a problem with the C functions, > and means we may have to re-write code to avoid passing tmp file names > around. I am not sure I understand your concern here. By definition mkstemp creates a filename that is in continuous use (remember it opens a file corresponding to the name) so I don't think anything could destroy that except by design, i.e, when the PLplot code tries to reuse that filename by opening a file with that same name (which is how I assume we will use the mkstemp results rather than paying any attention to the filedescriptor also returned by mkstemp). Note, I am not completely sure of my ground for any of the above comments but just putting out what I hope are reasonable interpretations of the relevant man documentation to encourage discussion. So I will be most interested in your reply to my remarks. However, soon after that reply I think we should try implementing our joint ideas about the right way to go about removing the last tmpnam use in PLplot simply as a sanity check of those ideas. Alan __________________________ Alan W. Irwin Astronomical research affiliation with Department of Physics and Astronomy, University of Victoria (astrowww.phys.uvic.ca). Programming affiliations with the FreeEOS equation-of-state implementation for stellar interiors (freeeos.sf.net); PLplot scientific plotting software package (plplot.org); the libLASi project (unifont.org/lasi); the Loads of Linux Links project (loll.sf.net); and the Linux Brochure Project (lbproject.sf.net). __________________________ Linux-powered Science __________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Plplot-devel mailing list Plplot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/plplot-devel
