Tom Lane wrote:
> Neil Conway <[EMAIL PROTECTED]> writes:
> > On Wed, 2004-10-20 at 06:18, Rod Taylor wrote:
> >> http://secunia.com/advisories/12860/
>
> > This seems like a rather inconsequential problem,
>
> Indeed, since ordinary users have no use for make_oidjoins_check.
> It's surely very implausible that anyone would run it as root; and
> even if someone did, the attacker cannot control what gets written.
>
> > but it should be fixed. The first two ideas that come to mind: use
> > temporary files in $PWD rather than /tmp, or create a subdirectory in
> > /tmp to use for the temporary files.
>
> I believe that the subdirectory idea is also vulnerable without great
> care.
I believe the proper way to handle this is a new directory under /tmp.
I use this in my local scripts:
TMP=/tmp/$$
OMASK="`umask`"
umask 077
if ! mkdir "$TMP"
then echo "Can't create temporary directory $TMP." 1>&2
exit 1
fi
umask "$OMASK"
unset OMASK
It basically makes sure it creates a new directory under /tmp with a
umask that guarantees no one else can create a file in that directory.
All temp files are accessed as $TMP/XXX.
--
Bruce Momjian | http://candle.pha.pa.us
[EMAIL PROTECTED] | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster
