On Tue, Mar 13, 2007 at 12:33:32AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: > On Mon, Mar 12, 2007 at 01:46:42PM -0400, Justin Pryzby wrote: > > This is apparently supposed to be a safe and portable way of making > > tempfiles; > > but tempfile wrappers are essentially guaranteed to be unsafe. > > Have you actually looked where Tiger's tempfiles are created before filing > this bug? > They are created in the working directory (which is /var/run/tiger) or in the > log directory (/var/log/tiger). They are *not* created under /tmp (unless > somebody defines $WORKDIR when building Tiger to point there, which the > Debian packages does not do) > > Moreover: > > $ ls -ld /var/*/tiger > drwxr-xr-x 2 root root 16384 2007-03-13 00:01 /var/log/tiger > drwx------ 3 root root 4096 2006-08-30 14:18 /var/run/tiger > > So none of the temporary directories are writable by a user who is *not* root > already. > > If you find an instance of safe_temp() that gets used outside this feel free > to reopen the bug. But right now your claim is bogus. > > Safe_temp could be improved so it would place files in $WORKDIR if they are > given as relative (and not absolute) but right now no modules do this. Alright, the context of safe_temp use does in fact look safe.
Thanks Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
