This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH, vtv update] Fix /tmp directory issues in libvtv


On 08/11/2013 01:08 AM, Caroline Tice wrote:
OK, I have removed the attempt to use $HOME for the logs; they will
now either go into the directory specified by the environment variable
VTV_LOGS_DIR, or they will go into the current directory.  I also
added code to use secure_getenv, rather than getenv, if it is
available.  Is this patch ok to commit?

+  logs_prefix = secure_getenv ("VTV_LOGS_DIR");
+  if (!logs_prefix || strlen (logs_prefix) == 0)
+    logs_prefix = (char *) ".";

Hmm. If you fall back to the current directory, using secure_getenv doesn't have the intended security effect. I wonder if we can simply label this functionality as unsafe for SUID/SGID programs, like we (hopefully) do for profiling.

Also, logs_prefix should be declared const char *, then the cast can go away (I hope).

--
Florian Weimer / Red Hat Product Security Team


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]