[Pdx-pm] File::Path rmtree modification
Keith Lofstrom
keithl at kl-ic.com
Tue Feb 15 21:23:06 PST 2005
Perl newbie here;
rmtree() in the File::Path package does something that I want--
almost. This is two questions; (One), am I thinking correctly
about what I want to do, and (B), if a package is Almost Right
(but not quite), what is the most maintainable way to do the
Right Thing?
For those of you who dote on Secunia security advisories, you are
of course familiar with http://secunia.com/advisories/13643/,
" Perl File::Path::rmtree Race Condition ".
rmtree() is intended to delete a directory tree. It can be set to
either skip directories with incorrect permissions (say 0500 ), or
to chmod them to 0777 then proceed with deleting them and their
contents. The security hole is that if the directory is set to
0777, somebody else can write into it before it is deleted;
if the process is interrupted, a 0777 directory remains. A bit
far-fetched, but we Linux/Unix folk are a cautious sort.
Question Numero Uno: Why the heck the authors ( Tim Bunce and
Charles Bailey ) felt it necessary to chmod the recalcitrant
directory to 0777 ! Newbie here thinks that if the directory
has a different owner or group, the chmod fails anyway, and
if the directory is mine, I can chmod it to 0700 and do my
removal without setting the other permissions. If the removal
fails and leaves an incorrect 0700 instead of where I started,
the directory is slated (somehow) for destruction anyway, so
no important damage is done. And no security hole created.
So, *am* I thinking?
Question Roman Numeral II: If I *am* thinking correctly, and the
authors say "go away kid, don't bother me" then I am faced with
building a local version of rmtree(), and distributing that
version with my app. I can rename it and put it in the app's
library, but is that the best way?
Keith
--
Keith Lofstrom keithl at keithl.com Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs
More information about the Pdx-pm-list
mailing list