xfs
[Top] [All Lists]

Re: snapshot regression test try 2

To: xfs mailing list <linux-xfs@xxxxxxxxxxx>
Subject: Re: snapshot regression test try 2
From: Ethan Benson <erbenson@xxxxxxxxxx>
Date: Fri, 30 Aug 2002 23:08:13 -0800
In-reply-to: <20020830212201.BJBU18615.imf08bis.bellsouth.net@TAZ2>; from freemyer@xxxxxxxxxxxxxxxxx on Fri, Aug 30, 2002 at 05:19:04PM -0400
Mail-copies-to: nobody
Mail-followup-to: xfs mailing list <linux-xfs@xxxxxxxxxxx>
References: <20020830212201.BJBU18615.imf08bis.bellsouth.net@TAZ2>
Sender: linux-xfs-bounce@xxxxxxxxxxx
User-agent: Mutt/1.2.5i
On Fri, Aug 30, 2002 at 05:19:04PM -0400, Greg Freemyer wrote:
>   >>  > tmp=/tmp/$$
> 
>  >>  very predictable, use tmp=`mktemp -d` || exit 1
> 
> Someone with SGI,  
> 
> Ethan has recommended the above change to my script.  It is easy enough to 
> do.  As a matter of fact I have already done it.
> 
> Every other script in xfstests uses the tmp=/tmp/$$ as a prefix for temp 
> files.

i would recommend they be changed to handle /tmp securely, granted its
probably unlikly that these tests are run on multiuser systems (since
if they blow something up the users will be annoyed) but if not for
any other reason then to help prevent further proliferation of
insecure broken code by way of people just getting ideas from these
scripts, they should be corrected.

> Ethan's recommendation is to use a unique directory and place temporary files 
> in the directory.

when dealing with /tmp you either need to create your tmp file securly
(this means getting a unpredictable filename and opening it with
O_EXCL, this is only possible via mktemp (or tmpfile) in shell
scripts) the alternative is creating a directory with tight
permissions securly, this also means a unpredictable name (to avoid
simple DoS) and proper error checks, mktemp -d is the ideal
mechenism.  once a secure directory is available you can do pretty
much whatever you want inside it without worrying.

> I can see where Ethan's suggestion is better, but for consistency sake it may 
> be better to put it back the way it was.
> 
> Please advise.
> 
> Greg

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

-- Attached file included as plaintext by Ecartis --

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj1wa1wACgkQJKx7GixEevwqcACfViR5z/ceJie0eSWFQxOFfoMR
dlYAn3Xttoujhfdu35VehKE6iXCQ4jvW
=z+vs
-----END PGP SIGNATURE-----



<Prev in Thread] Current Thread [Next in Thread>