warnings on compile

Steve Langasek vorlon at netexpress.net
Fri Dec 15 16:01:48 GMT 2000


> Jeremy, are you saying that you and Andrew are GOD or something?  Or
> are you simply talking about "doing your best".

Are computers God?  We expect them to flawlessly execute the Samba code
every time without opening up any root holes.  I think the task Jeremy and
Andrew have to carry out, to make sure there aren't any identifiable security
holes in the Samba code itself, is much less demanding. :)

> If you are only talking about "best efforts" ( well, I wish you
> are), then story differs.  The very fact is, that you only do your
> best, and Andrew do his best. There's chance that you two both make
> mistake, no matter how small it may be.

> 		 SO THERE'S NO PROVE.

Of course there is.  Programming is completely deterministic in nature.  If we
have complete information about the behavior of a function, it's possible to
prove whether or not the function is used safely.  If we don't have complete
information, then it doesn't matter if the function is used once or 20
times.  I think this is a point that too many people (programmers and laymen)
miss, because as a society we've come to accept security holes as inevitable.
But there's no excuse for security holes based on programming errors that have
been widely recognized for more than a decade.

If Andrew and Jeremy perform this audit with every release, that's likely to
/decrease/ the chances of them making a mistake, not increasing it, because
they have more experience and can spot problems more quickly and more
accurately.

Jeremy also said they audit *every* use of the open() function.  Changing
smbd_mkstemp() into a full-fledged mkstemp() function won't change all the
other open() calls that would still need auditing.

Despite disagreeing with you about the divine nature of the Samba project
leaders :), it seems to me that pulling the mktemp code entirely into Samba
would be a good idea.  There's enough variation in the mktemp(), mkstemp(),
tmpnam(), etc. functions available on different Unices, and it's simple enough
to reimplement correctly, that it might just reduce the Samba code size to do
it all internally.

Steve Langasek
postmodern programmer





More information about the samba-technical mailing list