Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#5186 closed defect (fixed)

mkstemp() should be wrapped by umask

Reported by: Erik Hovland <erik@…> Owned by: danielk
Priority: minor Milestone: unknown
Component: mythtv Version: head
Severity: low Keywords:
Cc: Ticket locked: no

Description

In programs/mythfilldatabase/filldata.cpp in the member function FillData::grabData() there is a call to mkstemp(). Which is the right function to use when making temporary files. But when using mkstemp() it is important to explicitly set the umask of the process before call. That way there is no doubt the the permissions on the temporary file are known to be safe.

Attachments (1)

programs_mythfilldatabase_filldata.cpp-always-umask-before-mkstemp.patch (1.1 KB) - added by Erik Hovland <erik@…> 12 years ago.
wrap mkstemp() in umask() calls to make sure file perms are safe

Download all attachments as: .zip

Change History (6)

Changed 12 years ago by Erik Hovland <erik@…>

wrap mkstemp() in umask() calls to make sure file perms are safe

comment:1 Changed 12 years ago by danielk

Owner: changed from Isaac Richards to danielk
Status: newassigned

We should probably also be using the MythTV wrapper for mkstemp in util.{h,cpp} ...

comment:2 Changed 12 years ago by danielk

(In [17226]) Refs #5186. Adds error checking to DataDirectProcessor?'s temporary file usage.

comment:3 Changed 12 years ago by danielk

(In [17229]) Refs #5186. Fixes copy-n-paste error in as yet unused fatal error handling code.

comment:4 Changed 12 years ago by danielk

Resolution: fixed
Status: assignedclosed

(In [17230]) Fixes #5186. Fixes error handling for mkstemp in filldata & closes an unlikely but possible umask security hole.

comment:5 Changed 12 years ago by danielk

(In [17262]) Refs #5186. Fixes a bug in [17226] pointed out by R.G. Newbury, the ok value isn't initialized properly in three of the get's for temporary file names. This leads to a possible failure if the file already exists.

Note: See TracTickets for help on using tickets.