On Wed, Apr 17, 2002 at 05:15:28PM -0500, fvwm-bug wrote: > FVWM Bug Tracking notification > > new message incoming/875 > > Full_Name: Jan Echternach > Version: 2.4.7 > CVS_Date: > OS: Linux > X_Server: XFree86 3.3.6 > Submission from: (NULL) (62.104.208.83) > > > tempnam() may use $TMPDIR. If that directory is writable by other users, > a temporary file may be created insecurely. I'm attaching a simple patch > that also uses getpwuid() more carefully, and looks at $HOME as the > fvwm2.1 > man page describes. > > Note 1: The patch compiles, but I haven't tested it because I don't use > session management. > > Note 2: The man page doesn't mention TMPDIR, maybe this should be fixed > as well. > > Note 3: FvwmCpp.c and FvwmM4.c also create temporary files, but with mode > 0644. I think this should be changed to 0600.
Thanks for the patch. I have committed it to the development code. If it works fine, I'll add it to the stable branch too. Bye Dominik ^_^ ^_^ -- Dominik Vogt, [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] -- Visit the official FVWM web page at <URL:http://www.fvwm.org/>. To unsubscribe from the list, send "unsubscribe fvwm-workers" in the body of a message to [EMAIL PROTECTED] To report problems, send mail to [EMAIL PROTECTED]
