Re: tmpnam vs mkstemp, was Re: [Exim] Problem with compiling…

Etusivu
Poista viesti
Vastaa
Lähettäjä: David Wheeler
Päiväys:  
Vastaanottaja: Ian Jackson, exim-users
Aihe: Re: tmpnam vs mkstemp, was Re: [Exim] Problem with compiling exim-3.22 on Linux
> This is completely absurd, of course. An implementation of tmpfile()
> which does *not* create the file in the right way cannot safely be
> used by *any* program.


Yes, and that's the problem. Please re-read my comments about tmpfile(),
hopefully I explained the issue clearly enough at
http://www.linuxdoc.org/HOWTO/Secure-Programs-HOWTO/avoid-race.html.
To quote myself:
"If I could satisfy myself that tmpfile(3) was trustworthy, I'd
use it, since it's the simplest solution for many situations."
However, _proof_ is hard to come by.

> So the answer is: use tmpfile() and if this introduces a security hole
> get your OS vendor to fix it, or fix it yourself[1].


Just using tmpfile() without doing anything has risks for users.
Some users won't know if it's a problem, won't know how to fix it,
and/or won't have the privileges (root)/knowledge necessary to fix it.

If you already know what platforms you'll run on, and you know they're okay
(or can trust clueful administrators to be sure of it), that's different.
You can make that argument for an MTA, especially if you know it'll only
run on systems known to work (e.g., Linux glibc). However, I'd suggest your
next approach, which completely solves the problem:

> Phil: if you're worried about being blamed for crap libcs, make an
> autoconf test that spots if tmpfile is broken and makes the build fail
> if it is. I'll have a go at writing you one if you like.


I think that's the best solution, and in fact I advocate this as
a general approach (not just in this case). See:
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/call-out.html#CALL-ONLY-SAFE

You would not _BELIEVE_ how many C libraries are out there which don't even
correctly implement the specs. I agree that this library call _SHOULD_ do
this other function _NOT_ required by the spec, but that won't help
the poor sucker/user stuck with the #*#$ library.

If you write such a test (it should be really easy to write!), please
send me a copy of just the test. I'd be happy to incorporate it
in my book (if you let me) so that others can use the same test.