Hello, The patch is explained below.
--- File/Temp.pm- 2005-04-03 15:27:16 +0000 +++ File/Temp.pm 2005-08-16 22:50:39 +0000 @@ -679,11 +679,11 @@ sub _is_safe { return 1 if $^O eq 'VMS'; # owner delete control at file level # Check to see whether owner is neither superuser (or a system uid) nor me - # Use the real uid from the $< variable + # Use the effective uid from the $> variable # UID is in [4] - if ($info[4] > File::Temp->top_system_uid() && $info[4] != $<) { + if ($info[4] > File::Temp->top_system_uid() && $info[4] != $>) { - Carp::cluck(sprintf "uid=$info[4] topuid=%s \$<=$< path='$path'", + Carp::cluck(sprintf "st_uid=$info[4] topuid=%s euid=$> path='$path'", File::Temp->top_system_uid()); $$err_ref = "Directory owned neither by root nor the current user" @@ -2241,4 +2241,10 @@ security enhancements. =cut +{ + no strict 'refs'; + File::Temp->safe_level(MEDIUM) + if ${"\cTAINT"}; +} + 1; End of patch First, real/effective UID distinction is essential for setuid scripts. Filesystem permissions are controlled by the effective UID of the process. When a privileged script is checking if the directory is safe, it should check that the directory is *not* owned by the caller. Otherwise, the user can replace a temporary file created by the privileged process, which is almost certainly not what we want. Second, I suggest to enable MEDUM security level for taint mode, which is on when running setuid/setgid scripts. It's only on MEDUM level that the above _is_safe() security check is performed.
pgpCpP9VmHh0V.pgp
Description: PGP signature