Warnings under OpenBSD
Christopher R. Hertel
crh at nts.umn.edu
Tue Jun 8 16:37:16 GMT 1999
>
> > The attitude is one of "if you don't understand it, don't ask the
> > question."
>
> pity
Yes. From what I understand, OpenBSD was born out of a rift within the
NetBSD development group. On the plus side, the OpenBSD crowd are very
sticky about security and the product is very nice. On the minus side,
there is little effort at etiquette. I have, so far, found it worth-while
to put up with this. Also, I'd note that they much less support than the
Linux community, and so less time for explanations or pleasantries.
> > The mktemp() replacement mkstemp() removes the race condition my
> > returning you a file handle rather than a file name to then open().
>
> which is no good for the way we use mktemp() in Samba. We *need* the
> filename as it gets passed back to the client so we need a real file,
> not a handle pointing at an unlinked file. We use mktemp() safely by
> including the O_EXCL bit in the open.
Cool.
> unfortunately these sort of "dumb programmer detection" systems don't
> detect when someone is using a oft-abused function correctly, so they
> spit out warnings, which means our mailboxes fill up with people
> telling us that we have a security hole.
Now, now. I just asked for comments. ;)
> it's tempting to write out own mktemp() just to avoid these damn
> emails, it just seems so stupid as what we need is exactly what
> mktemp() gives, and I hate coding around idiotic warnings.
Sorry, Andrew. Didn't know it was a hot button.
> > > lib/util_sec.o: warning: this program uses setregid(), which is deprecated.
>
> does the man page say what the preferred alternative to setregid() is
> for OpenBSD?
The OpenBSD man page for setregid() says this:
"The setregid() function was intended to allow swapping the real and
effective group IDs in set-group-ID programs to temporarily relinquish
the set-group-ID value. This function did not work correctly, and its
purpose is now better served by the use of the setegid() function (see
setuid(2))."
Urq.
Full manual page info available at: http://www.openbsd.org/cgi-bin/man.cgi
> the irony is that we started using setregid() when available because
> other OSes deprecated the use of setegid() and instead encouraged
> setregid().
...and OpenBSD does the opposite. I'd be interested to know what
"doesn't work correctly" regarding setreguid(). I'll ask (and then
immediately duck for cover).
Chris -)-----
--
-- I have a shoehorn, the kind with teeth. --
---
Christopher R. Hertel -)----- University of Minnesota
crh at nts.umn.edu Networking and Telecommunications Services
More information about the samba-technical
mailing list