[GRASS5] Re: [Pkg-grass-general] r.terraflow ?

Fri Jun 24 05:19:32 EDT 2005

On Fri, 2005-06-24 at 09:56 +0100, Glynn Clements wrote:
> Hamish wrote:
> 
> > > > > Isn't r.terraflow modul added to grass6 (installed as debian
> > > > > package).
> > > > 
> > > > No. There is an outstanding security issue that precludes it from
> > > > being part of the Debian package. (insecure temp files)
> > > > 
> > > > See /usr/share/doc/grass/changelog.Debian.gz
> > > 
> > > What's keeping us from patching r.terraflow then? I'm guessing it's
> > > probably swapping one libc function for another, no?
> > 
> > 
> > Not very much, just needs to be changed to use a directory created with
> > G_tempfile() or tmpfile() instead of /var/tmp/ by default for the
> > STREAM_DIR= option.
> > 
> > G_tempfile() creates a temporary file in the users' mapset repository,
> > e.g. $MAPSET/.tmp/$HOSTNAME/12345.0
> > 
> > Just need to remove that file, mkdir something of the same name & 
> > cleanup when done?
> > 
> > G_tempfile() is found in the grass source in lib/gis/tempfile.c
> > 
> > Alternatively & maybe better use tmpfile(). G_tempfile() & usage 
> > rules may be in flux in the near future, please read this thread:
> >   http://thread.gmane.org/gmane.comp.gis.grass.devel/8065
> 
> The simplest approach is likely to be to use the session directory
> /tmp/grass6-<user>-<pid>. That should be writable only by its owner. 
> So long as that directory is created securely, we don't need to worry
> about creating files inside it. At least, not from a security
> standpoint; race conditions could still be an issue for background
> processes.

I'm working on it.  I need some sleep, so I'll finish it up tomorrow and
post a patch.

Oddly, enough, I was just about to post a message about handling /tmp.
Creating a dir as you stated above answered it.

While I'm at it, should I create 'char *G_mktemp(int global)' and 'int
G_rmtemp(char *path)' functions?

-- 
Brad Douglas <rez at touchofmadness.com>