Closed p5pRT closed 21 years ago
Below is the output from running ./perl harness.
lib/ftmp-security...ok 3/13File::Temp::_gettemp: Parent directory (./) is not safe (sticky bit not set when world writable?) at lib/ftmp-security.t line 97
Error in tempfile() using ./temptestXXXXXXXX at lib/ftmp-security.t line 97
lib/ftmp-security...dubious
Test returned status 255 (wstat 65280\, 0xff00)
DIED. FAILED tests 6-13
Failed 8/13 tests\, 38.46% okay
This is the output from running ./perl lib/ftmp-security.t :
1..13 ok 1 # Testing with STANDARD security... # Fname1 = ./temptestYCPjeLht ok 2 ok 3 # Testing with MEDIUM security... File::Temp::_gettemp: Parent directory (./) is not safe (sticky bit not set when world writable?) at lib/ftmp-security.t line 97 Error in tempfile() using ./temptestXXXXXXXX at lib/ftmp-security.t line 97 ok 4 ok 5
I looked in the file but there were no specific warnings or comments about this test on HP's.
I am trying to learn about the perl internals and any suggestions at what to look at for this test and what direction I could proceed for developing a patch make work correctly on a HP would be greatly appreciated.
On Wed\, 16 Aug 2000\, 'David Scott Urban wrote:
This is a bug report for perl from urban@spica.ast.lmco.com\, generated with the help of perlbug 1.31 running under perl v5.7.0.
----------------------------------------------------------------- [Please enter your report here] Below is the output from running ./perl harness.
lib/ftmp-security...ok 3/13File::Temp::_gettemp: Parent directory (./) is not safe (sticky bit not set when world writable?) at lib/ftmp-security.t line 97 Error in tempfile() using ./temptestXXXXXXXX at lib/ftmp-security.t line 97 lib/ftmp-security...dubious
Test returned status 255 (wstat 65280\, 0xff00) DIED. FAILED tests 6-13 Failed 8/13 tests\, 38.46% okayThis is the output from running ./perl lib/ftmp-security.t :
1..13 ok 1 # Testing with STANDARD security... # Fname1 = ./temptestYCPjeLht ok 2 ok 3 # Testing with MEDIUM security... File::Temp::_gettemp: Parent directory (./) is not safe (sticky bit not set when world writable?) at lib/ftmp-security.t line 97 Error in tempfile() using ./temptestXXXXXXXX at lib/ftmp-security.t line 97 ok 4 ok 5
Out of interest\, was the directory you were running in world writable?
% ls -l .
I looked in the file but there were no specific warnings or comments about this test on HP's.
I am trying to learn about the perl internals and any suggestions at what to look at for this test and what direction I could proceed for developing a patch make work correctly on a HP would be greatly appreciated.
The MEDIUM security test simply checks to see if the directory you wish to place the file in is safe. If the directory is only writable by you then no problem. If the directory is world writable it checks that the sticky bit is set.
The _is_safe subroutine in File::Temp does this test:
# Check to see whether owner is neither superuser (or a system uid) nor me # Use the real uid from the $\< variable # UID is in [4] if ( $info[4] > File::Temp->top_system_uid() && $info[4] != $\<) { carp "Directory owned neither by root nor the current user"; return 0; }
# check whether group or other can write file # use 066 to detect either reading or writing # use 022 to check writability # Do it with S_IWOTH and S_IWGRP for portability (maybe) # mode is in info[2] if (($info[2] & &Fcntl::S_IWGRP) || # Is group writable? ($info[2] & &Fcntl::S_IWOTH) ) { # Is world writable? return 0 unless -d _; # Must be a directory return 0 unless -k _; # Must be sticky }
I'm assuming HPUX recognizes stickyness? If this test is not true you will get the error.
The strange thing is that it passes the HIGH security test. That test effectively runs _is_safe for all the direcories above you (including the current). I do not understand how MEDIUM fails but HIGH passes.
On Wed\, 16 Aug 2000\, Tim Jenness wrote:
On Wed\, 16 Aug 2000\, 'David Scott Urban wrote:
This is a bug report for perl from urban@spica.ast.lmco.com\, generated with the help of perlbug 1.31 running under perl v5.7.0.
----------------------------------------------------------------- [Please enter your report here] Below is the output from running ./perl harness.
lib/ftmp-security...ok 3/13File::Temp::_gettemp: Parent directory (./) is not safe (sticky bit not set when world writable?) at lib/ftmp-security.t line 97 Error in tempfile() using ./temptestXXXXXXXX at lib/ftmp-security.t line 97 lib/ftmp-security...dubious
Test returned status 255 (wstat 65280\, 0xff00) DIED. FAILED tests 6-13 Failed 8/13 tests\, 38.46% okayThis is the output from running ./perl lib/ftmp-security.t :
1..13 ok 1 # Testing with STANDARD security... # Fname1 = ./temptestYCPjeLht ok 2 ok 3 # Testing with MEDIUM security... File::Temp::_gettemp: Parent directory (./) is not safe (sticky bit not set when world writable?) at lib/ftmp-security.t line 97 Error in tempfile() using ./temptestXXXXXXXX at lib/ftmp-security.t line 97 ok 4 ok 5
\
The strange thing is that it passes the HIGH security test. That test effectively runs _is_safe for all the direcories above you (including the current). I do not understand how MEDIUM fails but HIGH passes.
Sorry. I was being stupid and had not spotted that only 5 tests came back when it was run by the hand. The problem is that MEDIUM fails with a croak so that HIGH is never tried. The last two tests are clearing up after tests 2 and 3 (via END).
Sorry for the confusion.
Today around 3:33pm\, Tim Jenness hammered out this masterpiece:
: : > The strange thing is that it passes the HIGH security test. That test : > effectively runs _is_safe for all the direcories above you (including the : > current). I do not understand how MEDIUM fails but HIGH passes. : > : : Sorry. I was being stupid and had not spotted that only 5 tests came back : when it was run by the hand. The problem is that MEDIUM fails with a croak
Is that a new government operation?
: so that HIGH is never tried. The last two tests are clearing up after : tests 2 and 3 (via END). : : Sorry for the confusion.
No problem :-)
On Thu\, 17 Aug 2000\, 'David Scott Urban wrote:
Out of interest\, was the directory you were running in world writable?
% ls -l .
No\, my directories are set with a umask 002.
Here is tha output from ls -la on the t directory:
Thanks.
I see that they are group writable though. This is the problem. File::Temp thinks that a directory that is writable by anyone other than you or root is unsafe unless the sticky bit is set. I can recreate your error on linux by setting g+w on the directory.
I'm really not sure what to do next though. Is the test on group writability ridiculous or justifiably paranoid. At this point I'm not sure how to deal with the case of umask 002. I could change the test to use tmpdir() rather than current directory or I could check group writeability on current before porceeding with the test OR I could remove the check on group writability from the module.
Comments?
[spica] ~/perl/perl/t 309> ls -la total 136 drwxrwsr-x 10 urban csupport 4096 Aug 16 15:38 ./ drwxrwsr-x 28 urban csupport 8192 Aug 16 10:40 ../ -r--r--r-- 1 urban csupport 728 Aug 13 12:36 README -r-xr-xr-x 1 urban csupport 4341 Aug 13 12:36 TEST* -r-xr-xr-x 1 urban csupport 4584 Aug 13 12:36 UTEST* drwxrwsr-x 2 urban csupport 4096 Aug 16 09:43 base/ drwxrwsr-x 2 urban csupport 4096 Aug 16 09:43 cmd/ drwxrwsr-x 2 urban csupport 4096 Aug 16 09:43 comp/ -r--r--r-- 1 urban csupport 1788 Aug 13 12:36 harness drwxrwsr-x 2 urban csupport 4096 Aug 16 09:43 io/ drwxrwsr-x 3 urban csupport 4096 Aug 16 15:37 lib/ drwxrwsr-x 2 urban csupport 4096 Aug 16 15:31 op/ lrwxrwxrwx 1 urban csupport 7 Aug 16 10:57 perl -> ../perl* drwxrwsr-x 2 urban csupport 4096 Aug 16 09:44 pod/ drwxrwsr-x 4 urban csupport 4096 Aug 16 09:44 pragma/
Thanks.
I see that they are group writable though. This is the problem. File::Temp thinks that a directory that is writable by anyone other than you or root is unsafe unless the sticky bit is set. I can recreate your error on linux by setting g+w on the directory.
I'm really not sure what to do next though. Is the test on group writability ridiculous or justifiably paranoid. At this point I'm not sure how to deal with the case of umask 002. I could change the test to use tmpdir() rather than current directory or I could check group writeability on current before porceeding with the test OR I could remove the check on group writability from the module.
Comments?
After some serious thought\, I would trust the people in the groups that I work with to do the right thing. I definately would not make things world writeable.
I don't think the test on writability is ridiculous nor paranoid. It is whether you have the faith that people in the same group know what they are doing.
D. S. Urban
email : urban@ast.lmco.com
To be the person\, you must know the person. To know the person\, you must understand the person. To understand the person\, you must listen. To listen\, you must open your mind and put aside all preconceived ideas and notions.
All opinions expressed are my own not that of my employer
I'm really not sure what to do next though. Is the test on group writability ridiculous or justifiably paranoid. At this point I'm not sure how to deal with the case of umask 002. I could change the test to use tmpdir() rather than current directory or I could check group writeability on current before porceeding with the test OR I could remove the check on group writability from the module.
Comments?
Perhaps we should create a directory structure during the test with various security issues and make sure the module errors correctly under those circumstances\, instead of depending on the specific permissions of a system for the pass/fail of a test. This isn't a test for security holes on your system\, this is a test for functionality of a module.
R.
On Fri\, 18 Aug 2000\, Richard Soderberg wrote:
I'm really not sure what to do next though. Is the test on group writability ridiculous or justifiably paranoid. At this point I'm not sure how to deal with the case of umask 002. I could change the test to use tmpdir() rather than current directory or I could check group writeability on current before porceeding with the test OR I could remove the check on group writability from the module.
Comments?
Perhaps we should create a directory structure during the test with various security issues and make sure the module errors correctly under those circumstances\, instead of depending on the specific permissions of a system for the pass/fail of a test. This isn't a test for security holes on your system\, this is a test for functionality of a module.
That's still quite difficult since in principal File::Temp checks whether all the parent directories are safe as well. That means that you could make a directory somewhere and set the protections in a controlled\, cross platform\, way but if the directory you create is itself in an unsafe directory then you still can't do the tests :-(
The only thing I can think of is to move the test directory to tmpdir rather than cwd - can we guarantee that tmpdir is going to be "safe" more often than cwd?
On Fri\, Aug 18\, 2000 at 06:23:34PM -0700\, Richard Soderberg wrote:
I'm really not sure what to do next though. Is the test on group writability ridiculous or justifiably paranoid. At this point I'm not sure how to deal with the case of umask 002. I could change the test to use tmpdir() rather than current directory or I could check group writeability on current before porceeding with the test OR I could remove the check on group writability from the module.
Comments?
Perhaps we should create a directory structure during the test with various security issues and make sure the module errors correctly under those circumstances\, instead of depending on the specific permissions of a system
That sounds like a good idea. And if we created that directory structure at File::Spec->tmpdir (which\, hopefully\, is a local filesystem) we could get a success for that one File::Temp test which always fails on NFS.
for the pass/fail of a test. This isn't a test for security holes on your system\, this is a test for functionality of a module.
R.
On Sat\, 19 Aug 2000\, Jarkko Hietaniemi wrote:
On Fri\, Aug 18\, 2000 at 06:23:34PM -0700\, Richard Soderberg wrote:
I'm really not sure what to do next though. Is the test on group writability ridiculous or justifiably paranoid. At this point I'm not sure how to deal with the case of umask 002. I could change the test to use tmpdir() rather than current directory or I could check group writeability on current before porceeding with the test OR I could remove the check on group writability from the module.
Comments?
Perhaps we should create a directory structure during the test with various security issues and make sure the module errors correctly under those circumstances\, instead of depending on the specific permissions of a system
That sounds like a good idea. And if we created that directory structure at File::Spec->tmpdir (which\, hopefully\, is a local filesystem) we could get a success for that one File::Temp test which always fails on NFS.
Okay. For the security tests I'll change them to use tmpdir(). Note that as mentioned in a later email that this still assumes that tmpdir() itself is "safe" (and\, possibly\, all its parent directories). - I can't see anyway around that though...
Here it is:
Migrated from rt.perl.org#3720 (status was 'resolved')
Searchable as RT3720$