Skip site navigation (1) Skip section navigation (2)

Re: Re: [COMMITTERS] pgsql/src/bin/initdb initdb.sh

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Re: [COMMITTERS] pgsql/src/bin/initdb initdb.sh
Date: 2001-06-25 19:01:26
Message-ID: 200106251901.f5PJ1Q717376@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-committerspgsql-hackers
> Bruce Momjian writes:
> 
> > > To securely create a temp file in shell you need to use mktemp(1), or do
> > > something like (umask 077 && mkdir $TMPDIR/$$) to create a subdirectory.
> > > Needless to say, it's tricky.
> >
> > Wow, that symlink is a bad one.  I don't see mktemp(1) on bsd/os, only
> > mktemp(3).  I do see it on FreeBSD.
> >
> > Good thing I don't have other shell users on my system.  I do cat
> > >/tmp/$$ all the time in scripts.
> 
> I see we have temp file vulnerabilities in genbki.sh and Gen_fmgrtab.sh as
> well.  I'll try to fix them.

What is the vulnerability?  I see:

	- if [ "$TMPDIR" ]; then
	-     TEMPFILE="$TMPDIR/initdb.$$"
	- else
	-     TEMPFILE="/tmp/initdb.$$"
	- fi


-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

In response to

pgsql-hackers by date

Next:From: John GrayDate: 2001-06-25 20:17:38
Subject: Multi-entry indexes (with a view to XPath queries)
Previous:From: Mark VolpeDate: 2001-06-25 18:26:17
Subject: Re: [PATCH] Re: Setuid functions

pgsql-committers by date

Next:From: Tom LaneDate: 2001-06-25 20:20:02
Subject: pgsql/src/backend/utils/adt pgstatfuncs.c
Previous:From: Vince VielhaberDate: 2001-06-25 19:00:25
Subject: [WEBMASTER] 'www/html devel-contrib.html'

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group