[GRASS5] [bug #2877] (grass) Insecure tempfile creation

GRASS GIS GRASS GIS developer
1

[thanks for the 5.0.3 patch Marga]

Just an update re. less-insecure tempfiles ..

In the upstream GRASS 5.7 CVS[*] pretty much everything in the scripts/
directory now uses g.tempfile. C modules are next. I am not sure what to
do with the init scripts & libs where the GRASS tempfile fn's may not be
available..

These fixes are not in Steve Halasz's grass 6.0beta1 grass package[**],
I'm not sure when 6beta2 will be but maybe Steve & co. are willing to
backport these changes to 6beta1 and push for that to get into Sarge.

[*] http://freegis.org/cgi-bin/viewcvs.cgi/grass51/
[**] http://pkg-grass.alioth.debian.org/cgi-bin/wiki.pl

a number of the instances on the offender list were actually commented
out, etc.

still to look at:

lib/db/stubs/BUILD.PROTO
lib/db/dbmi_driver/mk_dbstubs_h.sh
lib/gis/unix_socks.c
lib/gis/gislib.dox
lib/gis/win32_pipes.c
lib/init/init.sh
lib/init/make_location_epsg_g57.sh

raster/r.terraflow/description.html
raster/r.terraflow/main.cc

regards,
Hamish

2

Hamish wrote:

Just an update re. less-insecure tempfiles ..

In the upstream GRASS 5.7 CVS[*] pretty much everything in the scripts/
directory now uses g.tempfile. C modules are next. I am not sure what to
do with the init scripts & libs where the GRASS tempfile fn's may not be
available..

Re-write g.tempfile so that it doesn't rely upon GRASS having been
initialised, i.e. just use tempnam() or similar rather than relying
upon G_getenv() etc.

The only code which really needs to use G_tempfile() is code which
creates files within the GRASS database (e.g. G_open_cell_new() etc),
as the files have to reside on the same filesystem as the rest of the
database.

Everything else can use $TMPDIR.

--
Glynn Clements <glynn@gclements.plus.com>

3

> > > > Just an update re. less-insecure tempfiles ..

..

> > Maybe someone can help me with this one:
> > lib/db/stubs/BUILD.PROTO

My vote is to simply remove this file. Nobody needs it from
the core 6 developers, AFAIK it's a leftover from GRASS 4.x.

I assume that this will be resolved ASAP in GRASS-CVS.

file removed in CVS.

===

also in cvs:

lib/init/init.sh: /tmp/grass6-.. dir was created with whatever
permissions 'umask' had (could be world-writable). Now read/writable
only by $USER.

check added to lib/init/grass.src for grass-within-grass situation.
  - init.sh assumes /bin/sh is bourne like, grass.src didn't?

===

r.terraflow is the only outstanding /tmp fix to be done.
(waiting for an update from Laura)

===

should we add the SUBMITTING file from 5.4.0 to cvs/head?

Hamish

4

On Tue, Feb 01, 2005 at 04:25:27PM +1300, Hamish wrote:
...

should we add the SUBMITTING file from 5.4.0 to cvs/head?

Yes, done.
I have updated the file, but please review again.

Markus