On Wed, Feb 13, 2013 at 9:42 PM, David Golden via RT <
bug-File-Temp@rt.cpan.org> wrote:
Show quoted text> Queue: File-Temp
> Ticket <URL:
https://rt.cpan.org/Ticket/Display.html?id=82720 >
>
> On Wed, Feb 13, 2013 at 9:33 PM, TJENNESS via RT
> <bug-File-Temp@rt.cpan.org> wrote:
> > I do worry about the security implications. We are effectively saying
> that unlink0 might as well
> > never try to be clever as we can always fallback to deferred unlink if
> it fails. Tom C was insistent
> > that unlink0 behave like it does because he was extremely concerned
> about something weird
> > happening to temp files (and didn't really care about "broken" operating
> systems that could not
> > unlink an open file). Ideally you want to use deferred unlink only if
> you know you are on NFS.
>
> Not caring about "broken" is not a very portable mindset, which I
> don't think is the right thing for a core module to be doing.
>
>
Sure. Not my word, but it is still the case that if something happened that
causes unlink0 to fail unexpectedly in a manner that might be a security
problem, then we simply hide the problem and defer the unlink. If we can
defer the unlink any time that unlink0 fails then its not obvious why we
are doing the unlink0 "bend over backwards to make sure" tests at all.
Show quoted text> My preferred model is: "We'll try really hard to be secure, but if you
> can't be really secure for whatever reason, we'll do something else
> reasonable instead."
>
>
but Tom would say that File::Temp is giving you an expectation of security
and "try to be secure but ignore any problems" is not really being secure.
You don't have an expectation for the same level of security if you are on
a OS that can't unlink an open file so the deferred unlink is the best you
can do. If you are on NFS you also can't have an expectation of security
but the problem is we can't work out whether a directory is mounted
remotely or not.
Show quoted text> > I assume that if you ramp up the security level the unlink0 can't be
> bypassed?
>
> I don't have any objection to that. I suspect the number of people
> running under high is darn small and it won't bite most of the common
> "do tests in a tempfile" bugs that people hit.
>
>
You can't expect the HIGH security level to work on NFS so we shouldn't be
disabling the test because of NFS issues in this case.
--
Tim Jenness