MajorSophos

John Rudd jrudd at UCSC.EDU
Wed Sep 8 10:39:05 IST 2004


<x-flowed>
On Sep 8, 2004, at 1:59 AM, Spicer, Kevin wrote:

>> MajorSophos uses mktemp for the TMPDIR initialization, but mktemp
>> isn't
>> very portable (at least not to Solaris 8).  Here's what I did:
>> around line 99-101, I changed:
>>         TMPDIR=`mktemp -d -q /tmp/$BASE.XXXXXX`
>> to:
>>          TMPDIR="/tmp/$BASE.$$"
>>          mkdir -m 700 $TMPDIR
>> ($$ is "unique enough", considering the directory is short-lived, and
>> process numbers are unique)
>
> Process numbers may be unique but they are predictable, therefore
> should
> not be used for creating temporary files and directories.
>

Can you please explain the logic there?

Unless you're dealing with something where you're worried about someone
being able to access the resulting temp file/directory, I don't see why
predictable is a bad thing.  For one, MajorSophos tempfiles are also
predictable (no matter which method you use), because they're named
"/tmp/MajorSophos.sh.*".  It just doesn't seem to matter that the *
might be a process ID.  Since you're only likely to have one
MajorSophos process running at one time, it's not like having the
process ID in the tmp file is going to give anything away because it'll
be the only MajorSophos in the ps listing (nor is knowing the process
ID from ps going to make it easier to find the tmp directory: if
MajorSophos hasn't been failing, you'll only have one such directory in
/tmp).

For kerberos ticket caches, where the file is both sensitive and will
be around for at least 8-10 hours, I can see wanting to avoid
predictability ... but for the MajorSophos download directory?  Which
is short lived, and already highly predictable?  I don't see your
point.  Unique is _all_ you need.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>



More information about the MailScanner mailing list