Bug 175938 - Insecure /tmp operations
Summary: Insecure /tmp operations
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: tinyerp
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-12-16 16:11 UTC by Enrico Scholz
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 3.1.1-5
Clone Of:
Environment:
Last Closed: 2005-12-18 20:23:57 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Enrico Scholz 2005-12-16 16:11:26 UTC
Description of problem:

tinyerp-server startup script contains code like

| start() {
|     # create temporary startup script to get pid of the server process
|     cat > /tmp/tinyerp-server.run << EOF

This is highly insecure and should never be used. Alternatives:

(a) use 'mktemp' to create the temporary file in a secure manner

(b) start the daemon in a way like

    | daemon --user tinyerp "/usr/bin/setsid /usr/bin/tinyerp-server $OPTS >> /var/log/tinyerp/tinyerp-server.log 2>&1"

    and remove all the /tmp stuff

I would use variant (b)


Version-Release number of selected component (if applicable):

tinyerp-server-3.1.1-4.fc4

Comment 1 Dan Horák 2005-12-18 19:32:29 UTC
OK, I will try to use variant (b) This is what I wanted to do, but did not
exactly know how. I modified it to start /usr/bin/tinyerp-server in background.

daemon --user tinyerp --check tinyerp-server "/usr/bin/setsid
/usr/bin/tinyerp-server $OPTS >> /var/log/tinyerp/tinyerp-server.log 2>&1 &"

Now I have to modify also the startup script generated in setup.py to create a
pidfile so the server can be stopped.

Comment 2 Enrico Scholz 2005-12-18 20:03:18 UTC
The '&' should not be needed because 'setsid' sends processes into background.

fwiw, when you want a pidfile and dirty hacks, you could write

| daemon ... "echo \$\$ >&42; exec setsid ..." 42>...the-pidfile...


Comment 3 Dan Horák 2005-12-18 20:23:57 UTC
I have modified the /usr/bin/tinyerp-server script, pidfile (with echo $$ ;-) )
is created in /var/spool/tinyerp and both staring and stopping works. Released
tinyerp-3.1.1-5


Note You need to log in before you can comment on or make changes to this bug.