Bugtraq mailing list archives
updatedb: sort patch
From: ballbach () LORIEN ML ORG (Michael Ballbach)
Date: Tue, 3 Mar 1998 00:43:51 -0700
After the posting indicating that sort was the culprit, I figured I'd take a look. It appears that a function, called xtmpfopen(), is called to return a stream to the temp file, that stream is created via a call to fdopen() after open() returns a file descriptor to the file being opened. Soooo, it seemed to me that if we ored in O_EXCL in the option list for open(), that would solve our problem. Now, sort will fail, causing updatedb to fail, but hey, which is better, no password file, or an out-of-date locate database? I tested this on my machine, and it appears to work fine. Hopefully the following patch provides a remedial solution for those who still want their updatedb to run as root. Also, I figured this would help if other software makes use of sort (I was surprised to find updatedb was a shell script), or an unsuspecting someone may use sort as root every once in a while. Also, this is quite an amateur investigation, so comments are welcome. Sort is in textutils, this applies to textutils 1.22 on ftp.gnu.org. cd into textutils-1.22/src before applying the patch. --- sort_orig.c Tue Mar 3 00:26:00 1998 +++ sort.c Tue Mar 3 00:25:32 1998 @@ -321,7 +321,7 @@ FILE *fp; int fd; - fd = open (file, O_WRONLY | O_CREAT | O_TRUNC, 0600); + fd = open (file, O_EXCL | O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd < 0 || (fp = fdopen (fd, "w")) == NULL) { error (0, errno, "%s", file); -------------------------- Michael A. Ballbach: N0ZTQ ballbach () lorien ml org <--- PGP Key Here. (finger) mikeb () vr1 com http://ballbach.lorien.ml.org/ "I don't know how world war three will be fought, but world war four will be fought with sticks and stones." -- Albert Einstein.
Current thread:
- Re: strcpy versus strncpy, (continued)
- Re: strcpy versus strncpy Dean Gaudet (Mar 02)
- Re: strcpy versus strncpy Joe Zbiciak (Mar 02)
- Re: strcpy versus strncpy Daniel Reed (Mar 02)
- Re: strcpy versus strncpy Kragen (Mar 03)
- Re: strcpy versus strncpy Wietse Venema (Mar 03)
- Re: strcpy versus strncpy pedward () WEBCOM COM (Mar 03)
- Re: strcpy versus strncpy Kragen (Mar 03)
- Re: strcpy versus strncpy Aleph One (Mar 02)
- Re: strcpy versus strncpy sinster () DARKWATER COM (Mar 02)
- Re: strcpy versus strncpy Nick Maclaren (Mar 03)
- Re: strcpy versus strncpy Mark Walker (Mar 03)
- updatedb: sort patch Michael Ballbach (Mar 02)
- Re: strcpy versus strncpy Eivind Eklund (Mar 03)
- Vulnerabilites in some versions of info2www CGI Niall Smart (Mar 03)
- Universal Wrapper Willy TARREAU (Mar 03)
- Re: strcpy versus strncpy Victor Lavrenko (Mar 03)
- Re: strcpy versus strncpy Chris L. Mason (Mar 03)
- Re: strcpy versus strncpy Mark Whitis (Mar 04)
- Re: strcpy versus strncpy Andy Church (Mar 02)
- Re: strcpy versus strncpy Edwin Li-Kai Liu (Mar 03)
- Re: strcpy versus strncpy Ben Laurie (Mar 03)
- Re: strcpy versus strncpy Chris L. Mason (Mar 03)
(Thread continues...)
- Re: strcpy versus strncpy Dean Gaudet (Mar 02)