Am 15.08.2008 11:21, Riku Voipio schrieb:
mktemp /tmp/$0.$$.XXXXX
The problem here is that you are using too short template. Try:
mktemp /tmp/$0.$$.XXXXXXXXXXXXXXXXXXXXXXX
The problem with that is that scripts with X>=6 are not portable
to other Unices. And to compensate Debian's ineffectiveness here
by if-statements is no great thing either. I would rather prefer
of getting this fixed in the first place.
Besides: A program should make sure, that it provides the appropriate
level of security, not the user. If you put security in the hand
of users, where it is not needed, that's bad.
I am sure that not every user, i.e. shell programmer, understands the issue
as well as we both.
using only 5 * X as in your version makes your app quite possibly
brute-forceable.
I see you got the point. ;-)
On other Linux' you have with only 5 chars a randomness
of (10+26)^5 = 60466176 whereas on DEBIAN it's close to zero. ;-)
With 6 chars 2.176.782.336 on other systems, on debian worst case ~36.
This is the way it should be (Opensuse):
I suspect opensuse uses the gnu coreutils version of mktemp?
[EMAIL PROTECTED]:~|0% rpm -qf =mktemp
coreutils-6.11-9.1
[EMAIL PROTECTED]:~|0%
BTW: An old Ubuntu 6.06 as well a sarge system behave also as
I would expect:
[EMAIL PROTECTED]:~ 0$ cat /etc/debian_version
3.1
[EMAIL PROTECTED]:~ 0$ mktemp /tmp/name.XXXXXX
/tmp/name.m6WAqO
[EMAIL PROTECTED]:~ 0$ dpkg -S `which mktemp`
debianutils: /bin/mktemp
[EMAIL PROTECTED]:~ 0$
I cannot comprehend why that changed in 4.0.
I suggest you use
a) a mixture of letters and numbers for mktemp
Which is what mktemp does. You might want to read the manpage
of mktemp.
Yes.
You have there another bug: "number of unique filenames mktemp can return
depends on the number of ‘Xs’ provided; ten ‘Xs’ will result in mktemp
testing roughly 26 ** 10 combinations."
26 is the number of chars, 10 is the number of numbers. So if you really
would have a mixture of letters/numbers the combinations would be 36^10.
But as you lost 4-5 digits now it is 36^6 or 36^5 when you use 10 Xs.
Agreed, that using pid as part of filling the "XXXX"
is quite pointless thou.
Ok, so it would be great if you could fix that.
Cheers,
Dirk
--
Dirk Wetter @ Dr. Wetter IT Consulting http://drwetter.org
Beratung IT-Sicherheit + Open Source
Key fingerprint = 2AD6 BE0F 9863 C82D 21B3 64E5 C967 34D8 11B7 C62F
-
Found core file older than 7 days: /usr/share/man/man5/core.5.gz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
