|
From: | Eric Blake |
Subject: | Re: [PATCH v2 01/23] iotests: Introduce $SOCK_DIR |
Date: | Fri, 18 Oct 2019 08:30:16 -0500 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.0 |
On 10/18/19 4:03 AM, Max Reitz wrote:
-if [ ! -e "$TEST_DIR" ]; then - mkdir "$TEST_DIR" +tmp_sock_dir=false +if [ -z "$SOCK_DIR" ]; then + SOCK_DIR=$(mktemp -d) + tmp_sock_dir=true fi +mkdir -p "$SOCK_DIR" || _init_error 'Failed to create SOCK_DIR'Thinking about this again: if the user passed in a name, we probably want to use it no matter whether the directory already exists (mkdir -p makes sense: either the directory did not exist, or the user is in charge of passing us a directory that they already secured). But if we generate our own name in a world-writable location in /tmp, using mkdir -p means someone else can race us to the creation of the directory, and potentially populate it in a way to cause us a security hole while we execute our tests.I don’t quite see how this is a security hole. mktemp -d creates the directory, so noone can race us.
Aha - I confused 'mktemp -u' (necessary for creating a socket name) and 'mktemp -d' (for directories). With that confusion cleared up, yes, the directory is safely created (or else the burden is on the caller), so:
Reviewed-by: Eric Blake <address@hidden> -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
[Prev in Thread] | Current Thread | [Next in Thread] |