On 2/15/07, Dan Nelson <[EMAIL PROTECTED]> wrote:
In the last episode (Feb 15), Thomas Dickey said: > On Wed, Feb 14, 2007 at 10:57:12PM -0600, Dan Nelson wrote: > > In the last episode (Feb 14), Dak Ghatikachalam said: > > > I am am puzzled how to secure this code when this shell script is > > > being executed. > > > > > > ${ORACLE_HOME}/bin/sqlplus -s <<EOF | tee -a ${RESTOREFILE} [...] > > > EOF > > > > > > When I run this code from shell script in /tmp directory it spews > > > file called /tmp/sh03400.000 in that I have this entire code > > > visible. > > > > I bet if you check the permissions you'll find the file has mode > > 0600, which means only the user running the script can read the > > file (at least that's what a test using the pdksh port does on my > > system). ksh93 does have a problem, though: it opens a file and > > immediately unlinks it, but the file is world-readable for a short > > time. > > Doesn't it (ksh93, etc) pay attention to umask? > If it does, the script should use that feature. It does honor umask, but I think temp files should be created mode 0600 in all cases. A person may have a umask of 022 to allow normal files to be read by group members but still not want them to see here-document contents. They may not even realize that their shell is using tempfiles. Some shells use pipes (bash and ash do; zsh uses an 0600 tempfile that it immediately unlinks; Solaris sh uses an 0600 tempfile). > > Both ksh variants honor the TMPDIR variable, though, so if you create a > > ~/tmp directory, chmod it so only you can access it, then set > > TMPDIR=~/tmp , you will be secure even if you're using ksh93. > > relatively (it's not a given that people haven't opened up ~/tmp) I think if someone has gone to the trouble of creating a private ~/tmp directory, they probably know what they're doing and know the consequences of opening it up.
I appreciate all your response. Thanks a lot for insight on unix fundementals The issue I had is solved by doing umask 077 at the start of the script, so what it did was it created the temporary files with read+write for owner of the file , and in my process I also create directories while RMAN backup is being run, so that umask 077 for directory gave rwx for directories while creation This problem I had is solved now, it is secure Thanks Dak
-- Dan Nelson [EMAIL PROTECTED] _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to " [EMAIL PROTECTED]"
_______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"