[pca] hiding SOA data from "ps"
Martin Paul
martin at par.univie.ac.at
Tue Dec 1 15:49:05 CET 2009
Dražen Kačar wrote:
> No, there's nothing to be gained there. I mean something like creating a
> symlink at the location your temporary file will be created, which then
> points to something you can write into, but another user can read. So
> he can get the username and password you're trying to hide.
Ok, I see. Until now, I've used a simple (and imperfect) approach,
appending time() and $$ to any temporary file name to cater with that.
It would be better to use temporary directories instead, as the symlink
scenario doesn't work then anymore. It stills leaves open the chance of
a DoS attack, simply by creating all possible dir/file names, though.
I see that there is a File::Temp module for the very purpose of creating
safe tmp files in perl >= 5.6.1, so I'll probably switch to that for all
the temporary files/dirs I use.
Here's a link with many details about safe temp file creation:
http://www.linuxsecurity.com/content/view/115462/151/
Or as "man File::Temp" says:
It's better to use this module than to try to pick a temporary file on
your own. Otherwise, you'll just fall into all the same traps as
everyone else before you.
:)
>> .. when reading about bidirectional IPC communication with perl it seems
>> as if there's no simple, standard and non-ugly solution.
>
> Thought that might be a problem. :-)
>
> man IPC::Open2 looks promising, but I'm not a Perl programmer.
Yes, I found that, too, but some of the comments about it suggest that
there might be problems depending on how the spawned process handles
stdout, and on non-POSIX systems (and I've had reports about people
using pca on Windows to download patches, so I'm careful here).
Martin.
More information about the pca
mailing list