[GRASS5] files stored in /tmp/ from init.sh
Glynn Clements
glynn at gclements.plus.com
Sun Jan 30 19:34:27 EST 2005
Hamish wrote:
> re. GRASS Bug # 2877 (Debian Bug # 287651)
> Insecure use of the '/tmp/' directory.
>
> I'm getting through the instances; pretty much done actually.
> g.tempfile didn't have to change.
>
>
> There's one that goes deeper than I want to mess with, ie the locking
> mechanism..
>
> /tmp/grass6-$USER-$GIS_LOCK/gisrc
>
> referenced by
>
> lib/init/init.sh
> lib/gis/unix_socks.c
>
> (changing this might mean lib/gis/win32_pipes.c needs to be changed too)
>
>
> The "/tmp/grass6-$USER-$GIS_LOCK/gisrc" file is predictable, leaving the
> system open to symlink attacks...
>
> can someone who understands the internals look into this please?
The startup should create the /tmp/grass6-$USER-$GIS_LOCK directory
such that it is only accessible to the current user. If the directory
already exists, the startup should abort.
If no-one else can write to that directory, it doesn't matter how
files are created within it.
--
Glynn Clements <glynn at gclements.plus.com>
More information about the grass-dev
mailing list