[darcs-devel] [issue385] changes --repo=URL failure outside a repository

David Roundy droundy at darcs.net
Tue Jan 30 16:34:25 PST 2007 

On Tue, Jan 30, 2007 at 09:44:06AM -0500, Zachary P. Landau wrote:
>  withTemp :: (String -> IO a) -> IO a
>  withTemp = bracket get_empty_file removeFileMayNotExist
> - -    where get_empty_file = do (h,f) <- mkstemp "darcs"
> +    where get_empty_file = do tmpdir <- tempdir_loc
> +                              (h,f) <- mkstemp (tmpdir ++ "darcs")
>                                hClose h
>                                return f

This change would introduce temporary file creation bugs.  We currently
rely on withTemp by default creating files in a non-world-writeable
directory in order to avoid the need to audit all our tempfile creation
code.  If we introduced this change, we'd have to go through and also
audit both every use of withTemp, and the code of withTemp itself, if we
wanted to regain the current level of security.  And these audits would
need to be done by someone who is more competent than me.

So far as I know, there's no secure way to pass a temp file generated in
/tmp to an exec'ed program that requires it as a command-line parameter.

It's just a whole can of worms.  I'm sure it doesn't matter to most of our
users, but some fraction I'm sure use darcs on trusted systems that allow
untrusted users to simultaneously run, and we don't want those users to be
able to modify the execution of darcs in any way.

I don't mean there's no solution, but that I am not aware of a solution,
and will want to have the assurance of someone with experience that we
aren't shooting ourselves in the foot.

Actually, now that I think about it, I suspect that withTemp is inherently
insecure, based on what I know, if the temp file is created in /tmp.  My
understanding is that any use of a filename in /tmp is a bug, and of course
withTemp only allows use of the filename.  I don't know all the tricks that
can be used to take advantage of insecure temp file handling, but that's my
understanding.  Which is why we don't use /tmp for most of our temp files.
-- 
David Roundy
Department of Physics
Oregon State University
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.osuosl.org/pipermail/darcs-devel/attachments/20070130/f0fc0f30/attachment.pgp

More information about the darcs-devel mailing list