Bug 175938 - Insecure /tmp operations
Insecure /tmp operations
Product: Fedora
Classification: Fedora
Component: tinyerp (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Dan Horák
Fedora Extras Quality Assurance
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-12-16 11:11 EST by Enrico Scholz
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 3.1.1-5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-12-18 15:23:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Enrico Scholz 2005-12-16 11:11:26 EST
Description of problem:

tinyerp-server startup script contains code like

| start() {
|     # create temporary startup script to get pid of the server process
|     cat > /tmp/tinyerp-server.run << EOF

This is highly insecure and should never be used. Alternatives:

(a) use 'mktemp' to create the temporary file in a secure manner

(b) start the daemon in a way like

    | daemon --user tinyerp "/usr/bin/setsid /usr/bin/tinyerp-server $OPTS >> /var/log/tinyerp/tinyerp-server.log 2>&1"

    and remove all the /tmp stuff

I would use variant (b)

Version-Release number of selected component (if applicable):

Comment 1 Dan Horák 2005-12-18 14:32:29 EST
OK, I will try to use variant (b) This is what I wanted to do, but did not
exactly know how. I modified it to start /usr/bin/tinyerp-server in background.

daemon --user tinyerp --check tinyerp-server "/usr/bin/setsid
/usr/bin/tinyerp-server $OPTS >> /var/log/tinyerp/tinyerp-server.log 2>&1 &"

Now I have to modify also the startup script generated in setup.py to create a
pidfile so the server can be stopped.
Comment 2 Enrico Scholz 2005-12-18 15:03:18 EST
The '&' should not be needed because 'setsid' sends processes into background.

fwiw, when you want a pidfile and dirty hacks, you could write

| daemon ... "echo \$\$ >&42; exec setsid ..." 42>...the-pidfile...
Comment 3 Dan Horák 2005-12-18 15:23:57 EST
I have modified the /usr/bin/tinyerp-server script, pidfile (with echo $$ ;-) )
is created in /var/spool/tinyerp and both staring and stopping works. Released

Note You need to log in before you can comment on or make changes to this bug.