bug#28317: Non-portable sh script

bug-automake

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#28317: Non-portable sh script - $RANDOM

From:	Mathieu Lirzin
Subject:	bug#28317: Non-portable sh script - $RANDOM
Date:	Fri, 01 Sep 2017 19:40:09 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)

Hello,

Eric Blake <address@hidden> writes:

> tag 28317 notabug
> thanks
>
> On 09/01/2017 07:17 AM, Neven Sajko wrote:
>> automake version 1.15.1, also in latest git master.
>> 
>> See
>> 
>> https://git.savannah.gnu.org/cgit/automake.git/tree/lib/install-sh#n327
>
> Let's look at it in context:
>
>           *)
>             tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
>             trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit
> $ret' 0
>
>             if (umask $mkdir_umask &&
>                 exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d")
>>/dev/null 2>&1
>             then
>               if test -z "$dir_arg" || {
>                    # Check for POSIX incompatibilities with -m.
>                    # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
>                    # other-writable bit of parent directory when it
> shouldn't.
>                    # FreeBSD 6.1 mkdir -m -p sets mode of existing
> directory.
>                    ls_ld_tmpdir=`ls -ld "$tmpdir"`
>                    case $ls_ld_tmpdir in
>                      d????-?r-*) different_mode=700;;
>                      d????-?--*) different_mode=755;;
>                      *) false;;
>                    esac &&
>                    $mkdirprog -m$different_mode -p -- "$tmpdir" && {
>                      ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
>                      test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
>                    }
>                  }
>               then posix_mkdir=:
>               fi
>               rmdir "$tmpdir/d" "$tmpdir"
>             else
>               # Remove any dirs left behind by ancient mkdir
> implementations.
>               rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
>             fi
>             trap '' 0;;
>         esac;;
>
>> 
>> The RANDOM variable giving pseudo-random numbers is not a POSIX sh
>> feature. Dash, for example, does not implement it.
>
> Correct. But for shells that do not implement it, it will expand to the
> empty string, at which point we are merely naming our directory ins-$$,
> which is still a (somewhat) random name, because it depends on the pid.
> True, when $RANDOM is not supported, it's easier to guess the name being
> used, but the REAL test is whether the code correctly handles the case
> where an attacker races with your probe of an available name and your
> subsequent use of the name.  _This_ code is specifically calling mkdir
> (which is race-free) as the only use of $tmpdir, and therefore, even
> when $RANDOM is not supported, we are not opening ourselves to attack.
>
> Therefore, even though we know it is not POSIX, we also don't care.
> This is not a shortcoming that needs to be patched.
>
>> Maybe this would work instead:
>> 
>> random=`dd 'if=/dev/urandom' 'count=1' 'bs=256' 2>/dev/null | cksum | sed 
>> "$r"`\
>> `date -u | cksum | sed "$r"`
>
> No, there's no need to furrther complicate something that is already
> correct even when $RANDOM is empty.

I agree with Eric reasoning.

Thanks for the report.

-- 
Mathieu Lirzin
GPG: F2A3 8D7E EB2B 6640 5761  070D 0ADE E100 9460 4D37

[Prev in Thread]

Current Thread

[Next in Thread]

bug#28317: Non-portable sh script - $RANDOM, Neven Sajko, 2017/09/01
- bug#28317: Non-portable sh script - $RANDOM, Eric Blake, 2017/09/01
  - bug#28317: Non-portable sh script - $RANDOM, Mathieu Lirzin <=

Prev by Date: bug#28317: Non-portable sh script - $RANDOM
Next by Date: bug#27781: LIBOBJS should depend on LIBOBJDIR
Previous by thread: bug#28317: Non-portable sh script - $RANDOM
Next by thread: bug#27781: LIBOBJS should depend on LIBOBJDIR
Index(es):
- Date
- Thread