From: Akim Demaille Date: Fri, 17 Mar 2000 08:40:27 +0000 (+0000) Subject: * acspecific.m4 (AC_SYS_LONG_FILE_NAMES): Security fixes: create X-Git-Tag: autoconf-2.50~1032 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab542b1f77d5b0319ef92dcc776f84b9d8baeb4c;p=thirdparty%2Fautoconf.git * acspecific.m4 (AC_SYS_LONG_FILE_NAMES): Security fixes: create the temp files in a private temporary directory, not directly in TMPDIR. --- diff --git a/ChangeLog b/ChangeLog index 50163112c..9acffbc85 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2000-03-17 Joseph S. Myers + + * acspecific.m4 (AC_SYS_LONG_FILE_NAMES): Security fixes: create + the temp files in a private temporary directory, not directly in + TMPDIR. + 2000-03-17 Akim Demaille Install the IFS we need once for all. diff --git a/THANKS b/THANKS index 8d9866c0f..fc3eb23c1 100644 --- a/THANKS +++ b/THANKS @@ -55,6 +55,7 @@ John David Anglin dave@hiauly1.hia.nrc.ca John Interrante interran@uluru.stanford.edu John W. Eaton jwe@bevo.che.wisc.edu J"orn Rennecke amylaar@cygnus.co.uk +Joseph S. Myers jsm28@cam.ac.uk Julian Onions j.onions@nexor.co.uk Karl Berry karl@cs.umb.edu Karl Heuer kwzh@gnu.org diff --git a/acspecific.m4 b/acspecific.m4 index 581912890..92edc1a90 100644 --- a/acspecific.m4 +++ b/acspecific.m4 @@ -3005,6 +3005,17 @@ AC_DEFUNCT(AC_ARG_ARRAY, [; don't do unportable things with arguments]) # AC_SYS_LONG_FILE_NAMES # ---------------------- +# Security: use a temporary directory as the most portable way of +# creating files in /tmp securely. Removing them leaves a race +# condition, set -C is not portably guaranteed to use O_EXCL, so still +# leaves a race, and not all systems have the `mktemp' utility. We +# still test for existence first in case of broken systems where the +# mkdir succeeds even when the directory exists. Broken systems may +# retain a race, but they probably have other security problems +# anyway; this should be secure on well-behaved systems. In any case, +# use of `mktemp' is probably inappropriate here since it would fail in +# attempting to create different file names differing after the 14th +# character on file systems without long file names. AC_DEFUN(AC_SYS_LONG_FILE_NAMES, [AC_CACHE_CHECK(for long file names, ac_cv_sys_long_file_names, [ac_cv_sys_long_file_names=yes @@ -3019,22 +3030,27 @@ AC_DEFUN(AC_SYS_LONG_FILE_NAMES, # /var/tmp likewise # /usr/tmp likewise if test -n "$TMPDIR" && test -d "$TMPDIR" && test -w "$TMPDIR"; then - ac_tmpdirs="$TMPDIR" + ac_tmpdirs=$TMPDIR else ac_tmpdirs='/tmp /var/tmp /usr/tmp' fi for ac_dir in . $ac_tmpdirs `eval echo $prefix/lib $exec_prefix/lib` ; do test -d $ac_dir || continue test -w $ac_dir || continue # It is less confusing to not echo anything here. - (echo 1 >$ac_dir/conftest9012345) 2>/dev/null - (echo 2 >$ac_dir/conftest9012346) 2>/dev/null - ac_val=`cat $ac_dir/conftest9012345 2>/dev/null` - if test ! -f $ac_dir/conftest9012345 || test "$ac_val" != 1; then + ac_xdir=$ac_dir/cf$$ + test -e $ac_xdir && continue + (umask 077 && mkdir $ac_xdir 2>/dev/null) || continue + ac_tf1=$ac_xdir/conftest9012345 + ac_tf2=$ac_xdir/conftest9012346 + (echo 1 >$ac_tf1) 2>/dev/null + (echo 2 >$ac_tf2) 2>/dev/null + ac_val=`cat $ac_tf1 2>/dev/null` + if test ! -f $ac_tf1 || test "$ac_val" != 1; then ac_cv_sys_long_file_names=no - rm -f $ac_dir/conftest9012345 $ac_dir/conftest9012346 2>/dev/null + rm -rf $ac_xdir 2>/dev/null break fi - rm -f $ac_dir/conftest9012345 $ac_dir/conftest9012346 2>/dev/null + rm -rf $ac_xdir 2>/dev/null done]) if test $ac_cv_sys_long_file_names = yes; then AC_DEFINE(HAVE_LONG_FILE_NAMES, 1, diff --git a/lib/autoconf/specific.m4 b/lib/autoconf/specific.m4 index 581912890..92edc1a90 100644 --- a/lib/autoconf/specific.m4 +++ b/lib/autoconf/specific.m4 @@ -3005,6 +3005,17 @@ AC_DEFUNCT(AC_ARG_ARRAY, [; don't do unportable things with arguments]) # AC_SYS_LONG_FILE_NAMES # ---------------------- +# Security: use a temporary directory as the most portable way of +# creating files in /tmp securely. Removing them leaves a race +# condition, set -C is not portably guaranteed to use O_EXCL, so still +# leaves a race, and not all systems have the `mktemp' utility. We +# still test for existence first in case of broken systems where the +# mkdir succeeds even when the directory exists. Broken systems may +# retain a race, but they probably have other security problems +# anyway; this should be secure on well-behaved systems. In any case, +# use of `mktemp' is probably inappropriate here since it would fail in +# attempting to create different file names differing after the 14th +# character on file systems without long file names. AC_DEFUN(AC_SYS_LONG_FILE_NAMES, [AC_CACHE_CHECK(for long file names, ac_cv_sys_long_file_names, [ac_cv_sys_long_file_names=yes @@ -3019,22 +3030,27 @@ AC_DEFUN(AC_SYS_LONG_FILE_NAMES, # /var/tmp likewise # /usr/tmp likewise if test -n "$TMPDIR" && test -d "$TMPDIR" && test -w "$TMPDIR"; then - ac_tmpdirs="$TMPDIR" + ac_tmpdirs=$TMPDIR else ac_tmpdirs='/tmp /var/tmp /usr/tmp' fi for ac_dir in . $ac_tmpdirs `eval echo $prefix/lib $exec_prefix/lib` ; do test -d $ac_dir || continue test -w $ac_dir || continue # It is less confusing to not echo anything here. - (echo 1 >$ac_dir/conftest9012345) 2>/dev/null - (echo 2 >$ac_dir/conftest9012346) 2>/dev/null - ac_val=`cat $ac_dir/conftest9012345 2>/dev/null` - if test ! -f $ac_dir/conftest9012345 || test "$ac_val" != 1; then + ac_xdir=$ac_dir/cf$$ + test -e $ac_xdir && continue + (umask 077 && mkdir $ac_xdir 2>/dev/null) || continue + ac_tf1=$ac_xdir/conftest9012345 + ac_tf2=$ac_xdir/conftest9012346 + (echo 1 >$ac_tf1) 2>/dev/null + (echo 2 >$ac_tf2) 2>/dev/null + ac_val=`cat $ac_tf1 2>/dev/null` + if test ! -f $ac_tf1 || test "$ac_val" != 1; then ac_cv_sys_long_file_names=no - rm -f $ac_dir/conftest9012345 $ac_dir/conftest9012346 2>/dev/null + rm -rf $ac_xdir 2>/dev/null break fi - rm -f $ac_dir/conftest9012345 $ac_dir/conftest9012346 2>/dev/null + rm -rf $ac_xdir 2>/dev/null done]) if test $ac_cv_sys_long_file_names = yes; then AC_DEFINE(HAVE_LONG_FILE_NAMES, 1,