From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/795
Path: news.gmane.org!not-for-mail
From: Solar Designer <solar@openwall.com>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: configure script for musl (?!)
Date: Wed, 2 May 2012 19:41:10 +0400
Message-ID: <20120502154110.GA18306@openwall.com>
References: <20120501225408.GM14673@brightrain.aerifal.cx> <20120501233926.GN14673@brightrain.aerifal.cx> <20120502140004.GB17745@openwall.com> <20120502143125.GO14673@brightrain.aerifal.cx> <20120502150543.GB18084@openwall.com> <20120502153903.GQ14673@brightrain.aerifal.cx>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: dough.gmane.org 1335973276 4266 80.91.229.3 (2 May 2012 15:41:16 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Wed, 2 May 2012 15:41:16 +0000 (UTC)
To: musl@lists.openwall.com
Original-X-From: musl-return-796-gllmg-musl=m.gmane.org@lists.openwall.com Wed May 02 17:41:15 2012
Return-path: <musl-return-796-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@plane.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-796-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1SPbg1-00030W-TQ
	for gllmg-musl@plane.gmane.org; Wed, 02 May 2012 17:41:14 +0200
Original-Received: (qmail 22203 invoked by uid 550); 2 May 2012 15:41:13 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 22194 invoked from network); 2 May 2012 15:41:13 -0000
Content-Disposition: inline
In-Reply-To: <20120502153903.GQ14673@brightrain.aerifal.cx>
User-Agent: Mutt/1.4.2.3i
Xref: news.gmane.org gmane.linux.lib.musl.general:795
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/795>

On Wed, May 02, 2012 at 11:39:03AM -0400, Rich Felker wrote:
> On Wed, May 02, 2012 at 07:05:43PM +0400, Solar Designer wrote:
> > I think the biggest problem here is in the failure mode.  In the draft
> > script you posted, if "set -C" fails the script will proceed to
> > potentially clobber a file via a (sym)link provided by another user, or
> > it may use a FIFO or a regular file pre-created by another user (and set
> > to e.g. mode 666), in which case the input to the compiler would be
> > under that other user's control (even if we're running with a safe umask).
> 
> Since set is a shell builtin, I was assuming it won't fail, but I can
> add "|| fail msg_here" to it.

FWIW, I was referring to possible script invocations with a non-POSIX
shell.  If these merely fail to configure musl, that's acceptable.
If they expose the invoking user to unexpected security risks, that's
another story.

> > > > Rather than use $TMPDIR or /tmp, I think it'd be safer to place the file
> > > > in the same directory with the configure script or in the current
> 
> I agree. In that case, secure creation is mostly a non-issue.

Right.

Alexander