Complete.Org: Mailing Lists: Archives: gopher: January 2001:
[gopher] Re: Security problems in gopherd (Was Security alert)
Home

[gopher] Re: Security problems in gopherd (Was Security alert)

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: gopher@xxxxxxxxxxxx
Subject: [gopher] Re: Security problems in gopherd (Was Security alert)
From: David Allen <s2mdalle@xxxxxxxxxxxxx>
Date: Thu, 18 Jan 2001 19:30:56 -0500
Reply-to: gopher@xxxxxxxxxxxx

On Thu, Jan 18, 2001 at 01:15:49AM -0500, John Goerzen wrote:
> 
> One option would be to create a directory in /tmp, mode 0700, and put
> all files in it.  This would allow the more-portable tempnam() to
> continue to be used.  In the course of auditing sprintf()s, I did come
> across one or two open() calls for /tmp files and added O_EXCL to the
> list as a temporary measure...
> 
> -- John

I just added the mktmpdir() function in serverutil.c to create this
directory.  Take a look at it and tell me if I'm missing anything
(since I'm not up on security as much as I should be)

If everything is kosher, I'll change those tmpnam calls to use this
directory.  Is there a clean way to do this other than adding another
entry to globals.h?  (I really hate globals like ASKfile and Gticket
where it's hard to figure out what the scope of the damage is going to
be if you change a call where they are involved)

-- 
David Allen
http://opop.nols.com/




[Prev in Thread] Current Thread [Next in Thread]