Alexey Tourbin wrote:
> Hello,
>
> The patch is explained below.
This patch looks sensible to me. Tim, any objection ?
Also, why use ${"\cTAINT"} instead of ${^TAINT} ? for older perls I suppose ?
> --- File/Temp.pm- 2005-04-03 15:27:16 +0000
> +++ File/Temp.pm 2005-08-16 22:50:39 +0000
> @@ -679,11 +679,11 @@ sub _is_safe {
> return 1 if $^O eq 'VMS'; # owner delete control at file level
>
> # Check to see whether owner is neither superuser (or a system uid) nor me
> - # Use the real uid from the $< variable
> + # Use the effective uid from the $> variable
> # UID is in [4]
> - if ($info[4] > File::Temp->top_system_uid() && $info[4] != $<) {
> + if ($info[4] > File::Temp->top_system_uid() && $info[4] != $>) {
>
> - Carp::cluck(sprintf "uid=$info[4] topuid=%s \$<=$< path='$path'",
> + Carp::cluck(sprintf "st_uid=$info[4] topuid=%s euid=$> path='$path'",
> File::Temp->top_system_uid());
>
> $$err_ref = "Directory owned neither by root nor the current user"
> @@ -2241,4 +2241,10 @@ security enhancements.
>
> =cut
>
> +{
> + no strict 'refs';
> + File::Temp->safe_level(MEDIUM)
> + if ${"\cTAINT"};
> +}
> +
> 1;
> End of patch
>
> First, real/effective UID distinction is essential for setuid scripts.
> Filesystem permissions are controlled by the effective UID of the
> process. When a privileged script is checking if the directory is safe,
> it should check that the directory is *not* owned by the caller.
> Otherwise, the user can replace a temporary file created by the
> privileged process, which is almost certainly not what we want.
>
> Second, I suggest to enable MEDUM security level for taint mode,
> which is on when running setuid/setgid scripts. It's only on MEDUM
> level that the above _is_safe() security check is performed.
