Bug 175938

Summary: Insecure /tmp operations
Product: [Fedora] Fedora Reporter: Enrico Scholz <rh-bugzilla>
Component: tinyerpAssignee: Dan Horák <dan>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: extras-qa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 3.1.1-5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-12-18 20:23:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Enrico Scholz 2005-12-16 16:11:26 UTC 
Description of problem:

tinyerp-server startup script contains code like

| start() {
|     # create temporary startup script to get pid of the server process
|     cat > /tmp/tinyerp-server.run << EOF

This is highly insecure and should never be used. Alternatives:

(a) use 'mktemp' to create the temporary file in a secure manner

(b) start the daemon in a way like

    | daemon --user tinyerp "/usr/bin/setsid /usr/bin/tinyerp-server $OPTS >> /var/log/tinyerp/tinyerp-server.log 2>&1"

    and remove all the /tmp stuff

I would use variant (b)


Version-Release number of selected component (if applicable):

tinyerp-server-3.1.1-4.fc4
Comment 1 Dan Horák 2005-12-18 19:32:29 UTC 
OK, I will try to use variant (b) This is what I wanted to do, but did not
exactly know how. I modified it to start /usr/bin/tinyerp-server in background.

daemon --user tinyerp --check tinyerp-server "/usr/bin/setsid
/usr/bin/tinyerp-server $OPTS >> /var/log/tinyerp/tinyerp-server.log 2>&1 &"

Now I have to modify also the startup script generated in setup.py to create a
pidfile so the server can be stopped.
Comment 2 Enrico Scholz 2005-12-18 20:03:18 UTC 
The '&' should not be needed because 'setsid' sends processes into background.

fwiw, when you want a pidfile and dirty hacks, you could write

| daemon ... "echo \$\$ >&42; exec setsid ..." 42>...the-pidfile...
Comment 3 Dan Horák 2005-12-18 20:23:57 UTC 
I have modified the /usr/bin/tinyerp-server script, pidfile (with echo $$ ;-) )
is created in /var/spool/tinyerp and both staring and stopping works. Released
tinyerp-3.1.1-5