[GRASS5] files stored in /tmp/ from init.sh
Glynn Clements
glynn at gclements.plus.com
Wed Feb 2 20:42:45 EST 2005
Glynn Clements wrote:
> > re. GRASS Bug # 2877 (Debian Bug # 287651)
> > Insecure use of the '/tmp/' directory.
> >
> > I'm getting through the instances; pretty much done actually.
> > g.tempfile didn't have to change.
> >
> >
> > There's one that goes deeper than I want to mess with, ie the locking
> > mechanism..
> >
> > /tmp/grass6-$USER-$GIS_LOCK/gisrc
> >
> > referenced by
> >
> > lib/init/init.sh
> > lib/gis/unix_socks.c
> >
> > (changing this might mean lib/gis/win32_pipes.c needs to be changed too)
> >
> >
> > The "/tmp/grass6-$USER-$GIS_LOCK/gisrc" file is predictable, leaving the
> > system open to symlink attacks...
> >
> > can someone who understands the internals look into this please?
>
> The startup should create the /tmp/grass6-$USER-$GIS_LOCK directory
> such that it is only accessible to the current user. If the directory
> already exists, the startup should abort.
Clarification: by "should", I mean that it ought to work this way; I
don't think that it does at present.
--
Glynn Clements <glynn at gclements.plus.com>
More information about the grass-dev
mailing list