 |
digitemp-utils-3.6.0-alt1.2.1.x86_64 |
unsafe-tmp-usage-in-scripts |
fail |
The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/digitemp/rrdb/log-temperature.pl: $ grep -A5 -B5 /tmp/ /usr/share/digitemp/rrdb/log-temperature.pl } else { die "Could not find rrdtool binary\n"; } # The RRD database to put the data into $wx_rrd = "/tmp/digitemp.rrd"; # Read the output from digitemp # Output in form 0\troom\tattic\tdrink open( DIGITEMP, "digitemp -a -q -o2 |" ); -- chomp; if( $_ =~ /^nanosleep/i ) { $now = localtime; open( ERRLOG, ">>/tmp/dt-error") or die "Error opening dt-error"; print ERRLOG "nanosleep error at $now\n"; close( ERRLOG ); die "nanosleep error"; } else { -- # This section was used to create up to date email signature files # Create the email header in Fahrenheit #open( HEADER, ">/tmp/.header") or die "Error opening .header"; #$now = localtime; #print HEADER "[$now]--[Inside "; #printf HEADER "%0.2f",ctof( $room ); #print HEADER "F]--[Outside "; Found error in /usr/share/digitemp/perl/maxplot: $ grep -A5 -B5 /tmp/ /usr/share/digitemp/perl/maxplot $im->string(gdSmallFont,$hmargin,&ytransform(-30),"Harddrive #1",$red); $im->string(gdSmallFont,$hmargin,&ytransform(-35),"Room Temperature",$green); $im->string(gdSmallFont,$hmargin,&ytransform(-40),"Outside Temperature",$orange); # Output it to a .gif image file open( PLOT, ">/tmp/tempplot.gif"); print PLOT $im->gif; close(PLOT); # copy the image to its final destination and make sure it is owned # by the right person. system "cp /tmp/tempplot.gif /home/nexus/.public_html/tempplot.gif"; system "chown nexus.users /home/nexus/.public_html/tempplot.gif"; system "chmod 0644 /home/nexus/.public_html/tempplot.gif"; |