MajorSophos

Spicer, Kevin Kevin.Spicer at BMRB.CO.UK
Wed Sep 8 11:03:07 IST 2004


>>> MajorSophos uses mktemp for the TMPDIR initialization, but mktemp
>>> isn't
>>> very portable (at least not to Solaris 8).  Here's what I did:
>>> around line 99-101, I changed:
>>>         TMPDIR=`mktemp -d -q /tmp/$BASE.XXXXXX`
>>> to:
>>>          TMPDIR="/tmp/$BASE.$$"
>>>          mkdir -m 700 $TMPDIR
>>> ($$ is "unique enough", considering the directory is short-lived,
and
>>> process numbers are unique)
>>
>> Process numbers may be unique but they are predictable, therefore
>> should
>> not be used for creating temporary files and directories.
>>

> Can you please explain the logic there?

It was really just a general observation that creating predictable tmp
dirs is not best practice.  I take your point that it probably doesn't
really matter with majorSophos, that only unique is probably okay.  The
chances of an attacker (with shell access) messing up your Sophos
installation by predicting the temp directory name and using that to
mess with your sophos installation are minimal (I don't know what
majorSophos uses the temp dir for as I don't use it - so I couldn't say
what the impact of that might me).
One could argue that as the script only runs once per month you could
just create a directory with a static name as two instances of the
script are highly unlikely to run at the same time (not that I think
that's a good idea) - but the author chose not to do that, he also chose
not to use the process ID.  My suggestion replicates the original
behavior whereas yours (whilst probably adequate) does not.  

Regards

Kevin





BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).



More information about the MailScanner mailing list