Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Careful with that Axe, Eugene' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Careful with that Axe, Eugene
Authored by: exel on Jul 31, '06 07:55:59AM

Just a minor point, the /tmp directory can be written to by anyone. If your machine is a multi user system, this script creates several security problems. If another user manages to create a /tmp/printer.final with 755 permissions, this hint's script will silently fail at removing it and may allow a malicious user to execute commands with _your_ user privileges.



[ Reply to This | # ]
Careful with that Axe, Eugene
Authored by: AtomicMonkey on Jul 31, '06 08:38:30AM

The script I use cleans up before and after. So this is not an issue. Running as root, a loginhoook creates a file that cannot be overwritten.



[ Reply to This | # ]
Careful with that Axe, Eugene
Authored by: exel on Jul 31, '06 03:08:33PM

Ah, it wasn't clear form context that the script ran as root. I'd say you're still leaving some space for race conditions. If another user runs a script that constantly tries to create a file called /tmp/printer.final with some nefarious code in it, through the magic of multitasking he has a good chance of getting it executed _after_ your login script performs the rm -f on /tmp/print* but _before_ it got a chance to output to /tmp/printer.final (the window is even quite large because you are spending time sedding over the old printcap). Any unwanted commands in this temp-file will be executed as the root user.

Avoid /tmp for this kind of thing, or use mktemp, that's what it's there for.



[ Reply to This | # ]
Careful with that Axe, Eugene
Authored by: AtomicMonkey on Jul 31, '06 08:55:01AM

I see what you are talking about. You mean the Platypus script. Like I said this is just the basis for that script. The Platypus script uses /Users/$USERNAME/Library/tmp to do it's business.

USERNAME=`whoami`

test ! -e /Users/$USERNAME/Library/tmp && mkdir /Users/$USERNAME/Library/tmp

Then just use that temp directory in place of /tmp.

You're right, I should have mentioned that.



[ Reply to This | # ]
Careful with that Axe, Eugene
Authored by: Trunkmonkey on Jul 31, '06 02:28:46PM

Eugene? I told you never to call me that! The name's Plague. Mr. The Plague.



[ Reply to This | # ]