develooper Front page | perl.perl5.porters | Postings from February 2004

Re: [perl #15063] /tmp issues

Thread Previous | Thread Next
Solar Designer
February 2, 2004 04:17
Re: [perl #15063] /tmp issues
Message ID:
On Sun, Feb 01, 2004 at 03:41:34PM +0000, Dave Mitchell wrote:
> On Mon, Jan 26, 2004 at 01:22:18AM +0300, Solar Designer wrote:
> > Well, our package has been updated to Perl 5.8.3, and attached to this
> > message you can find the new temporary file handling patch.
> Thanks, applied to bleedperl as change #22255, except for the following:

Thank you!  My comments on the non-applied changes below:

> Many systems don't have a /var/run directory, or it is only writeable by root;
> so in the following files I didn't change the examples from '/tmp/foo'
> to '/var/run/foo'; instead I changed them to just 'foo' or '/some/path/foo'
> as appropriate:
>     ext/DB_File/
>     ext/Storable/
>     lib/CGI/
>     pod/perldbmfilter.pod


> ext/ODBM_File/ODBM_File.xs
>     changed "/nonexistent" to "/non/exist/ent" -less likelyhood of the
>     file actually being created, eg by a bug in the script


> lib/
>     I didn't apply this!
>     +# XXX: The temporary file handling implemented in here is crap.  It should
>     +# be re-done making use of File::Temp.

OK, but it does need to be re-worked!  The current code is insecure.

I don't think it can be fixed without changing user-visible interfaces,

> lib/    
>     didn't apply this:
>      # If more accuracy is wanted/needed, Chris Leach sent me this patch...
>       # > *** /install/perl/live/lib/	Wed Sep 24 13:08:48 1997
>     - # > --- /tmp/cp	Wed Sep 24 13:26:40 1997
>     + # > --- cp	Wed Sep 24 13:26:40 1997

OK, although not having "/tmp" there would save me and others a few
seconds when checking subsequent versions of Perl with grep.

> lib/ExtUtils/instmodsh
>     it no longer uses the tmp file it creates, so I just removed the
> 	$tmp = "/tmp/inst.$$"
>     line instead.


> lib/
> pod/perldebug.pod
>     rather than changing the tty file from /tmp/perldbtty$$ to
>     /var/run/perldbtty$$, I changed it to .perldbtty$$
>     Note that this is a user-visible change.


> utils/perlbug.PL
>     This is designed to run on old 5.005 syststems, and as such it can't
>     rely on File::Temp, so I didn't apply this one.

Hmm.  Perhaps I am missing something, but why does the version of
perlbug included in recent versions of Perl need to work with some
other version?  The unpatched perlbug has a race (a security hole).

Thanks again,


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About