develooper Front page | perl.perl5.porters | Postings from September 2000

Re: [ID 20000831.046] OK: perl v5.7.0 +DEVEL6961 on sun4-solaris2.8 (UNINSTALLED)

Thread Previous
From:
Tim Jenness
Date:
September 1, 2000 01:55
Subject:
Re: [ID 20000831.046] OK: perl v5.7.0 +DEVEL6961 on sun4-solaris2.8 (UNINSTALLED)
Message ID:
Pine.LNX.4.21.0008312248520.18825-100000@lapaki.jach.hawaii.edu
On 1 Sep 2000, Andreas J. Koenig wrote:

> >>>>> On Fri, 01 Sep 2000 08:37:51 +0100, Alan Burlison <Alan.Burlison@uk.sun.com> said:
> 
> >> Alan, are you running make test as root?
> 
>   > Yes.  Also, the build directory is owned by root, and the build is done
>   > by root.  Bad habits die hard ;-)
> 
> Sure we love bad habits!
> 
> And together with this previous message, we have the culprit:
> 
> alan  > ls -ld of build directory:
> alan  > drwxr-xr-x  28 15033    root        4608 Aug 26 21:30 .
> 
> jhi  > That uid would be me... but I don't think the test uses the build
> jhi  > directory any more for the tests, it should be using a temp directory,
> jhi  > what the File::Spec->tmpdir() gives.
> 
> Wrong, Jarkko! The tests 3, 5, and 7 still use the current directory
> as tmpdir. I sent the patch yesterday that skips these three tests if
> the user is root. I did not see the patch arrive at P5P. Did you not
> get it?

Well, the test initially used just cwd (since naively I had assumed that
the current directory would be safer more often than tmpdir!), then we
changed it to use tmpdir last week but that triggered problems with the 
HP users and those that deliberately remove the sticky bit. Jarkko then
rewrote the test so that it would skip with a message if the test failed
and added tests for both cwd and tmpdir to cover both cases. I agree that
if you are root then you probably don't care about current directory being
insecure.

> 
> If anybody doesn't believe, try the following patch. All it does, it
> improves the error message from File::Temp on STDERR, no change in
> functionality. If you chown the perl source tree to yourself and run
> 'make test' as root, you'll see that "." is being used as path.
> 

"." was deliberate.

> Alan sees the message because from untarring as root, the tree is
> owned by user 15033 which is the same effect as you could have with a
> C<chown -R>.
> 

Yes. This has been a very good cross platform/user test :-)


> *** /tmp/Temp.pm~	Fri Sep  1 09:51:25 2000
> --- /tmp/Temp.pm	Fri Sep  1 09:51:25 2000
> ***************
> *** 609,615 ****
>     # Use the real uid from the $< variable
>     # UID is in [4]
>     if ( $info[4] > File::Temp->top_system_uid() && $info[4] != $<) {
> !     carp "Directory owned neither by root nor the current user";
>       return 0;
>     }
>   
> --- 609,623 ----
>     # Use the real uid from the $< variable
>     # UID is in [4]
>     if ( $info[4] > File::Temp->top_system_uid() && $info[4] != $<) {
> ! 
> !     Carp::cluck(sprintf "DEBUG: info4[%s] topuid[%s] \$\<[%s] path[%s]",
> ! 		$info[4],
> ! 	      File::Temp->top_system_uid(),
> ! 		$<,
> ! 		$path,
> ! 		);
> ! 
> !     carp "Directory owned neither by root nor the current user.";
>       return 0;
>     }
>   
> This could even go into 5.7.0 to improve future feedback on errors in
> this area.
> 

I can't test this now (limited computer access) but this patch (and the
patch to disable the test for cwd if root) is fine with me if it improves
the error reporting.  Having the test distinguish insecure temp files in
cwd from insecure temp files in tmpdir is a good thing.

-- 
Tim Jenness
JCMT software engineer/Support scientist
http://www.jach.hawaii.edu/~timj



Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About