This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]

Re: egcs-CVS19980627, mips-sgi-irix6.2 bootstrap problem ...

To: Alexandre Oliva <oliva at dcc dot unicamp dot br>
Subject: Re: egcs-CVS19980627, mips-sgi-irix6.2 bootstrap problem ...
From: Jeffrey A Law <law at cygnus dot com>
Date: Tue, 30 Jun 1998 11:47:36 -0600
cc: Martin Knoblauch <knobi at rocketmail dot com>, Jim Wilson <wilson at cygnus dot com>, "Kaveh R. Ghazi" <ghazi at caip dot rutgers dot edu>, egcs-bugs at cygnus dot com
Reply-To: law at cygnus dot com

  In message <ord8br2lu6.fsf@iguacu.dcc.unicamp.br>you write:
  > Martin Knoblauch <knobi@rocketmail.com> writes:
  > 
  > >> > If it is necessary to drop the extension for
  > > security reasons, then we have
  > 
  > >  OOOp. What are the security reasons? Just curious.
  > 
  > The way gcc created temporary names was easily predictable, so any
  > user could manage to overwrite arbitrary files owned by whoever runs
  > gcc, by creating soft-links from names gcc is likely to use to files
  > he intended to overwrite.
Right.  Even if the names are less predictable it is not safe to tack
on a suffix *after* secure creation of a temporary prefix.  And since
it appears that we need to have the suffix we needed to find a way
to add the suffix in a secure manner -- that's what last night's work
should do.

jeff

References:
- Re: egcs-CVS19980627, mips-sgi-irix6.2 bootstrap problem ...
  - From: Alexandre Oliva

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]