Christian Schwarz wrote:
> The following policy change has been proposed. It will become official
> unless someone objects now:
>
> Any scripts which create files in world-writable directories (i.e.
> in /tmp) have to use a mechanism which will fail if a file with
> the same name already exists.
I don't think this is good enough. The point isn't really to do this, it's
to create files in /tmp in a secure manner. I can see someone who isn't
familiar with the security issues reading the above and using something like
this:
TMPFILE=/tmp/myfile.$$
if [ -e "$TMPFILE" ]; then
exit 1
fi
echo foo >$TMPFILE
And that's just not safe ($TMPFILE could be created in between the -e check
and when the script writes to it).
> The Debian base distribution provides the `tempfile' utility for
> use by scripts for this purpose.
--
see shy jo
