temp file creation problem in inn

Russ Allbery rra at stanford.edu
Fri Dec 29 20:15:56 UTC 2000



Greg KH <greg at wirex.com> writes:

> In building Immunix Linux 7.0, we ran across the following problem in
> inn version 2.2.3:

> In an number of different places, temp files are created in an insecure
> way.  The patch below, by Steve Beattie <steve at wirex.com> should fix
> this problem on Linux, but since inn is a cross platform program, it
> will not work on systems that do not have the mkstemp function.

INN doesn't use the system /tmp directory.  It uses its own tmp directory
that should not be world-writeable and should only be used by INN.
Therefore, while I agree that ideally tmp file creation should be cleaned
up, it's not a security issue.

I'm sympathetic to what you're trying to do, but we can't accept a patch
for this unless it comes with a portable implementation of mkstemp so that
we don't break INN on many platforms on which it currently works fine.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the inn-bugs mailing list