* difflog.pl and "security" @ 2007-12-02 21:40 Clint Adams 2007-12-03 1:45 ` Bart Schaefer 0 siblings, 1 reply; 7+ messages in thread From: Clint Adams @ 2007-12-02 21:40 UTC (permalink / raw) To: zsh-workers There seems to be some excitement[1] about the tempfile handling in difflog.pl. [1] https://bugs.gentoo.org/show_bug.cgi?id=201022 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: difflog.pl and "security" 2007-12-02 21:40 difflog.pl and "security" Clint Adams @ 2007-12-03 1:45 ` Bart Schaefer 2007-12-03 10:42 ` Peter Stephenson 0 siblings, 1 reply; 7+ messages in thread From: Bart Schaefer @ 2007-12-03 1:45 UTC (permalink / raw) To: zsh-workers On Dec 2, 4:40pm, Clint Adams wrote: } } There seems to be some excitement[1] about the tempfile handling in } difflog.pl. I'll bet the number of times difflog.pl has been run in the last four years, by anyone, could be counted on one hand. Why would Gentoo even include it in the packages? It's strictly a tool for those maintaining two zsh code branches in parallel. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: difflog.pl and "security" 2007-12-03 1:45 ` Bart Schaefer @ 2007-12-03 10:42 ` Peter Stephenson 2007-12-03 16:33 ` Bart Schaefer 2007-12-03 21:36 ` Wayne Davison 0 siblings, 2 replies; 7+ messages in thread From: Peter Stephenson @ 2007-12-03 10:42 UTC (permalink / raw) To: zsh-workers On Sun, 02 Dec 2007 17:45:19 -0800 Bart Schaefer <schaefer@brasslantern.com> wrote: > On Dec 2, 4:40pm, Clint Adams wrote: > } > } There seems to be some excitement[1] about the tempfile handling in > } difflog.pl. > > I'll bet the number of times difflog.pl has been run in the last four > years, by anyone, could be counted on one hand. Why would Gentoo even > include it in the packages? It's strictly a tool for those maintaining > two zsh code branches in parallel. Yes, I'm more worried about the implication that anything distributed will be assumed to be robust for any usage. In the usage for which difflog.pl is supplied, security is not an issue since you're diffing two publicly available logs. People need to be discouraged from thinking the same script will work as a heavy-duty tool for logs that might need more security. Maybe we should simply leave it out of the distribution (but leave it in the archive), since it's essentially no use unless you have a CVS tree. It might be worth adding a new list in .distfiles to indicate this... It looks like the "distfiles" stuff isn't yet documented, as far as I can see. Index: Etc/zsh-development-guide =================================================================== RCS file: /cvsroot/zsh/zsh/Etc/zsh-development-guide,v retrieving revision 1.14 diff -u -r1.14 zsh-development-guide --- Etc/zsh-development-guide 6 Jul 2007 21:52:39 -0000 1.14 +++ Etc/zsh-development-guide 3 Dec 2007 10:39:38 -0000 @@ -826,3 +826,33 @@ zsh The Zsh Development Group (contact: <coordinator@zsh.org>) Below the top level, naming authority is delegated. + + +Distribution of files +--------------------- + +zsh is distributed in two parts: a "src" distribution containing all +the source files (roughly, but not exactly, corresponding to the CVS +tree), and a "doc" distribution containing some pre-built files from +the documentation directory. All the files in the "doc" distribution +may be generated from files in the "src" distribution with appropriate +freely available tools. + +To indicate which files should be distributed, each directory in the CVS +tree includes a file .distfiles that sets any number of a set of Bourne +shell (scalar) parameters. The value of the parameter is expanded as a +set of standard command line arguments. Basic globbing is allowed in the +values. + +The following parameters are currently used: + +- DISTFILES_SRC is a list of files from the directory for the "src" + distribution. + +- DISTFILES_DOC is a list of files from the directory for the "doc" + distribution. + +- DISTFILES_NOT is a list of files that will not be included in a + distribution, but that need to be present in the CVS tree. This + variable is not used by the zsh build process and is present for + the convenience of external checks. Index: Util/.distfiles =================================================================== RCS file: /cvsroot/zsh/zsh/Util/.distfiles,v retrieving revision 1.3 diff -u -r1.3 .distfiles --- Util/.distfiles 19 Mar 2004 10:53:04 -0000 1.3 +++ Util/.distfiles 3 Dec 2007 10:39:39 -0000 @@ -1,5 +1,11 @@ DISTFILES_SRC=' .distfiles - check_exports difflog.pl helpfiles mkdisttree.sh reporter + check_exports + helpfiles + mkdisttree.sh preconfig + reporter +' +DISTFILES_NOT=' + difflog.pl ' -- Peter Stephenson <pws@csr.com> Software Engineer CSR PLC, Churchill House, Cambridge Business Park, Cowley Road Cambridge, CB4 0WZ, UK Tel: +44 (0)1223 692070 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: difflog.pl and "security" 2007-12-03 10:42 ` Peter Stephenson @ 2007-12-03 16:33 ` Bart Schaefer 2007-12-03 17:36 ` Peter Stephenson 2007-12-03 21:36 ` Wayne Davison 1 sibling, 1 reply; 7+ messages in thread From: Bart Schaefer @ 2007-12-03 16:33 UTC (permalink / raw) To: zsh-workers On Dec 3, 10:42am, Peter Stephenson wrote: } } Yes, I'm more worried about the implication that anything distributed } will be assumed to be robust for any usage. In the usage for which } difflog.pl is supplied, security is not an issue since you're diffing } two publicly available logs. If I understand the issue correctly, the problem is not what's in the log files, but what's in /tmp. E.g., if a local attacker can guess when difflog.pl is being run and what its process ID is, he can create symlinks in /tmp that point from the files difflog is about to create, to any files owned by the person running difflog, and cause the target files to be clobbered. My usual feeling about this is that if your local users are doing this sort of thing, you already have problems that fixing a few scripts is not going to solve; but there are people who have no choice but to hand out logins first and ask questions later. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: difflog.pl and "security" 2007-12-03 16:33 ` Bart Schaefer @ 2007-12-03 17:36 ` Peter Stephenson 2007-12-03 18:37 ` Bart Schaefer 0 siblings, 1 reply; 7+ messages in thread From: Peter Stephenson @ 2007-12-03 17:36 UTC (permalink / raw) To: zsh-workers On Mon, 03 Dec 2007 08:33:01 -0800 Bart Schaefer <schaefer@brasslantern.com> wrote: > On Dec 3, 10:42am, Peter Stephenson wrote: > } > } Yes, I'm more worried about the implication that anything distributed > } will be assumed to be robust for any usage. In the usage for which > } difflog.pl is supplied, security is not an issue since you're diffing > } two publicly available logs. > > If I understand the issue correctly, the problem is not what's in the > log files, but what's in /tmp. > > E.g., if a local attacker can guess when difflog.pl is being run and > what its process ID is, he can create symlinks in /tmp that point > from the files difflog is about to create, to any files owned by the > person running difflog, and cause the target files to be clobbered. Yes, you're right. However, the other remark stands... should I commit the change I suggested? (There's obviously no harm in the documentation update.) -- Peter Stephenson <pws@csr.com> Software Engineer CSR PLC, Churchill House, Cambridge Business Park, Cowley Road Cambridge, CB4 0WZ, UK Tel: +44 (0)1223 692070 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: difflog.pl and "security" 2007-12-03 17:36 ` Peter Stephenson @ 2007-12-03 18:37 ` Bart Schaefer 0 siblings, 0 replies; 7+ messages in thread From: Bart Schaefer @ 2007-12-03 18:37 UTC (permalink / raw) To: zsh-workers On Dec 3, 5:36pm, Peter Stephenson wrote: } } Yes, you're right. However, the other remark stands... should I } commit the change I suggested? (There's obviously no harm in the } documentation update.) Oh, I didn't realize there was any question. Sure, commit it. Or "+1" as they say nowadays. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: difflog.pl and "security" 2007-12-03 10:42 ` Peter Stephenson 2007-12-03 16:33 ` Bart Schaefer @ 2007-12-03 21:36 ` Wayne Davison 1 sibling, 0 replies; 7+ messages in thread From: Wayne Davison @ 2007-12-03 21:36 UTC (permalink / raw) To: Peter Stephenson; +Cc: zsh-workers [-- Attachment #1: Type: text/plain, Size: 535 bytes --] On Mon, Dec 03, 2007 at 10:42:56AM +0000, Peter Stephenson wrote: > Maybe we should simply leave it out of the distribution (but leave it in > the archive), since it's essentially no use unless you have a CVS tree. Seems quite reasonable to me. I also coded up an improved version that uses File::Temp. I also changed the opening of the DIFF pipe to use a newer, safer exec syntax (since we don't need this to be very portable, I figure the perl version should be recent enough for anyone who might be using the script). ..wayne.. [-- Attachment #2: difflog.patch --] [-- Type: text/x-diff, Size: 1399 bytes --] --- difflog.pl 18 Apr 2002 14:35:17 -0000 1.3 +++ difflog.pl 3 Dec 2007 21:32:03 -0000 @@ -2,10 +2,9 @@ use strict; use IO::File; +use File::Temp qw(tempfile); my @differ = qw(diff -bw); -my $oldtmp = "/tmp/difflog$$.old"; -my $newtmp = "/tmp/difflog$$.new"; my $newfn = pop(@ARGV); my $oldfn = pop(@ARGV); @@ -36,16 +35,17 @@ while ($old < @oldentries && $new < @new else { if ($oldhash{$oldentries[$old]} ne $newhash{$newentries[$new]}) { - my $oldfh = new IO::File("/tmp/difflog$$.old", 'w'); - $oldfh->print($oldhash{$oldentries[$old]}); - $oldfh->close(); - my $newfh = new IO::File("/tmp/difflog$$.new", 'w'); - $newfh->print($newhash{$newentries[$new]}); - $newfh->close(); - open(DIFF, join(' ', @differ, @ARGV, $oldtmp, $newtmp, '|')); + my($oldfh, $oldtmp) = tempfile('difflog-XXXXXXXX', SUFFIX => '.old', DIR => '/tmp'); + print $oldfh $oldhash{$oldentries[$old]}; + close $oldfh; + my($newfh, $newtmp) = tempfile('difflog-XXXXXXXX', SUFFIX => '.new', DIR => '/tmp'); + print $newfh $newhash{$newentries[$new]}; + close $newfh; + open(DIFF, '-|', @differ, @ARGV, $oldtmp, $newtmp) or die $!; my @lines = <DIFF>; close(DIFF); - unlink </tmp/difflog$$.*>; + unlink($oldtmp); + unlink($newtmp); if (@lines) { print "diff for ", $oldentries[$old], ":\n"; ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2007-12-03 21:36 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2007-12-02 21:40 difflog.pl and "security" Clint Adams 2007-12-03 1:45 ` Bart Schaefer 2007-12-03 10:42 ` Peter Stephenson 2007-12-03 16:33 ` Bart Schaefer 2007-12-03 17:36 ` Peter Stephenson 2007-12-03 18:37 ` Bart Schaefer 2007-12-03 21:36 ` Wayne Davison
Code repositories for project(s) associated with this public inbox https://git.vuxu.org/mirror/zsh/ This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).