Ticket #319 (reopened wishlist)

Opened 8 years ago

Last modified 8 years ago

the use of `tmpnam' is dangerous, better use `mkstemp' in src/archiving/archman/archman.c

Reported by: baker Owned by: somebody
Priority: minor Milestone: All Platforms
Component: ALL modules Version: 7.7
Keywords: tmpnam() mkstemp() Cc:


The use of tmpnam() in src/archiving/archman/archman.c is dangerous:

icc -m32 -Dlinux -D__i386 -D_LINUX -D_INTEL -D_USE_SCHED  -D_USE_PTHREADS -D_USE_TERMIOS -I/opt/earthworm/earthworm-7.6-5691/include -o /opt/earthworm/earthworm-7.6-5691/bin/archman archman.o /opt/earthworm/earthworm-7.6-5691/lib/socket_ew.o /opt/earthworm/earthworm-7.6-5691/lib/socket_ew_common.o /opt/earthworm/earthworm-7.6-5691/lib/libew_mt.a /opt/earthworm/earthworm-7.6-5691/lib/swap.o lib/libbgs.a -lpthread -lm

archman.o: In function `main':
archman.c:(.text+0x5fb): warning: the use of `tmpnam' is dangerous, better use `mkstemp'

The man page for tmpnam() warns of the security problems and recommends using mkstemp() in its place:

     The tmpnam() and tempnam() functions are susceptible to a race condition
     occurring between the selection of the file name and the creation of the
     file, which allows malicious users to potentially overwrite arbitrary
     files in the system, depending on the level of privilege of the running
     program.  Additionally, there is no means by which file permissions may
     be specified.  It is strongly suggested that mkstemp(3) be used in place
     of these functions.  (See the FSA.)

Instances of tmpnam() should be replaced with mkstemp() in Earthworm.

Change History

comment:1 Changed 8 years ago by paulf

  • Status changed from new to closed
  • Resolution set to fixed

Closed in r5710.

Okay, this is my last one for tonight!

comment:2 Changed 8 years ago by paulf

  • Status changed from closed to reopened
  • Resolution fixed deleted

Note: I created a UNIX only solution for now. At some point when windows comes to its senses we can fix the windows side too for archman.

Note: See TracTickets for help on using tickets.