Alexey Tourbin wrote: > Hello, > > The patch is explained below. This patch looks sensible to me. Tim, any objection ?
Also, why use ${"\cTAINT"} instead of ${^TAINT} ? for older perls I suppose ? > --- File/Temp.pm- 2005-04-03 15:27:16 +0000 > +++ File/Temp.pm 2005-08-16 22:50:39 +0000 > @@ -679,11 +679,11 @@ sub _is_safe { > return 1 if $^O eq 'VMS'; # owner delete control at file level > > # Check to see whether owner is neither superuser (or a system uid) nor me > - # Use the real uid from the $< variable > + # Use the effective uid from the $> variable > # UID is in [4] > - if ($info[4] > File::Temp->top_system_uid() && $info[4] != $<) { > + if ($info[4] > File::Temp->top_system_uid() && $info[4] != $>) { > > - Carp::cluck(sprintf "uid=$info[4] topuid=%s \$<=$< path='$path'", > + Carp::cluck(sprintf "st_uid=$info[4] topuid=%s euid=$> path='$path'", > File::Temp->top_system_uid()); > > $$err_ref = "Directory owned neither by root nor the current user" > @@ -2241,4 +2241,10 @@ security enhancements. > > =cut > > +{ > + no strict 'refs'; > + File::Temp->safe_level(MEDIUM) > + if ${"\cTAINT"}; > +} > + > 1; > End of patch > > First, real/effective UID distinction is essential for setuid scripts. > Filesystem permissions are controlled by the effective UID of the > process. When a privileged script is checking if the directory is safe, > it should check that the directory is *not* owned by the caller. > Otherwise, the user can replace a temporary file created by the > privileged process, which is almost certainly not what we want. > > Second, I suggest to enable MEDUM security level for taint mode, > which is on when running setuid/setgid scripts. It's only on MEDUM > level that the above _is_safe() security check is performed.