Bug #30142 for KinoSearch: Cleaning up /tmp directory; predictable tmp filenames

Sat Oct 20 00:02:10 2007 ANDK [...] cpan.org - Ticket created

Subject:

Cleaning up /tmp directory; predictable tmp filenames

While cleaning up my /tmp directory I discovered left overs from KinoSearch 0.161 testsuite: # ls -l kinosearch_lockdir/test-foo -rw-rw-r-- 1 sand sand 25 Oct 20 05:52 kinosearch_lockdir/test-foo # ls -lad kinosearch_lockdir drwxrwxrwx 2 sand sand 4096 Oct 20 05:53 kinosearch_lockdir/ Predictable filenames in /tmp directory have severe security implications when people run the tests as root. Please use File::Temp instead (which has the additional benefit of cleaning up after its use;) Thanks,

Mon Oct 22 12:05:10 2007 CREAMYG [...] cpan.org - Taken

Mon Oct 29 10:55:16 2007 CREAMYG [...] cpan.org - Fixed in 0.162 added

Mon Oct 29 10:55:17 2007 CREAMYG [...] cpan.org - Correspondence added

This flaw ought to be resolved with maint release 0.162 and devel release 0.20_05. The test suite still creates temp files and directories with predictable names -- this is unavoidable because KinoSearch's invindexes are directories and the naming semantics of the files within them matter. However, the test suite now takes greater care with permissions, creating a working directory within the tmp directory with owner-only privileges, doing all its work within that, then cleaning up at the end. Lock files are still created within the tmp directory, though this is no longer the case in development releases (0.20_xx). These must have predictable filenames, because otherwise other processes could not find them. However, the locking mechanism uses safe opens (sysopen with O_EXCL), so there should be no potential for clobbering.

Mon Oct 29 10:55:18 2007 The RT System itself - Status changed from 'new' to 'open'

Mon Oct 29 10:55:19 2007 CREAMYG [...] cpan.org - Status changed from 'open' to 'resolved'