warnings on compile
okuyamak at dd.iij4u.or.jp
okuyamak at dd.iij4u.or.jp
Sat Dec 16 19:22:51 GMT 2000
Steve,
>>>>> "SL" == Steve Langasek <vorlon at netexpress.net> writes:
>> Jeremy, are you saying that you and Andrew are GOD or something? Or
>> are you simply talking about "doing your best".
SL> Are computers God? We expect them to flawlessly execute the Samba code
SL> every time without opening up any root holes. I think the task Jeremy and
SL> Andrew have to carry out, to make sure there aren't any identifiable security
SL> holes in the Samba code itself, is much less demanding. :)
Am I a God? No. So, I don't use the way Jeremy and Andrew does.
Rather, I simply obey the rule of Quality Control. Keeping
dangerous point into single function.
>> SO THERE'S NO PROVE.
SL> Of course there is. Programming is completely deterministic in nature.
No there's none. Because we can never have complete and bugless
information about behavior of a function. This is because we have to
RECOGNIZE the code. We still do not have any AI, nor any 'semantic
analyzer' which helps us with debugging.
# I do wish to know if there's any. I need it (^^;).
What we can have, is behavior of a function that "WE BELIEVE" how it
works. Since so, at very last moment, we have possibility of
mis-understanding. We sometime mis-understand, and according to
that, well have chance of enbugging the code. The very fact that
Jeremy and Andrew, as well as every person who have ever seen the
code, did not make any mistake, is simply due to luck.
We might have 99.99999999999999999999999999% of proof. But this will
never become 100%. And that's where Quality Control starts from.
# If there's way that we never make mistake, why bother Quality?
SL> Jeremy also said they audit *every* use of the open() function.
But that's nothing more than what he believe. We believe that he did
his best, and we know that what he've done is lot better than what I
can do. But still, that statement will not make any PROOF.
# Please keep in mind that PROVE requires 100%.
# It's not 100.0% ( which means you have 0.05% of error chance ).
SL> Changing
SL> smbd_mkstemp() into a full-fledged mkstemp() function won't change all the
SL> other open() calls that would still need auditing.
I'm talking about MAKING smbd_mkstemp(), which we right now don't
have. Forget about full-fledged mkstemp(), for it does not meet
Samba's requirement anyway.
Also, forget about mktemp()'s filename uniqueness, for we're not
using that characteristics now. What we have now as function named
smbd_mktemp(), is more dangerous than simply using mktemp().
# We are rejecting that danger at open()'s option. And this is
# only kept by J&A's contiguous work.
SL> Despite disagreeing with you about the divine nature of the Samba project
SL> leaders :),
I never thought about that. I was only talking about Quality Control,
and that of very basic. How to keep quality of Samba.
# Who care about project leaders, as long as it's being kept in the
# robust way. At least, I don't, and rather, keep me away from such
# headache. I'm having them enough at business world.
SL> it seems to me that pulling the mktemp code entirely into Samba
SL> would be a good idea. There's enough variation in the mktemp(), mkstemp(),
SL> tmpnam(), etc. functions available on different Unices, and it's simple enough
SL> to reimplement correctly, that it might just reduce the Samba code size to do
SL> it all internally.
Sorry to say, I don't have mktemp() of my own. But I do have
mkstemp() that will give filename&file being opened and that will
meet requirement of samba.
I don't really know if this code works on any unix or not. I never
tried it on unix.
Here comes the code:
/*
* mkstemp() by K. Okuyama.
* look at man page of some unix for how to use :p
*
* This code uses only 0-9 and A-Z for temporary part.
* This is good enough even against CD-ROM.
*
* Warning: This code uses rand(), but there are several implementation
* of rand(), and old type stdc rand() have to be very careful about
* low-bit quality. Meanwhile, ther are also some rand() that have
* problem with high-bit quality( like when you simply use current time ).
* Please select good enough rand() function.
*
* Warning: Note that this function does not add anything like
* "/tmp/" or "/usr/tmp/" or anything. That's what outside this
* function should do.
*
*/
#define TRYTIMES 255
#define X_MARKER 0xfe
#define X_EMPTY 0x01
#define NUMLETTERS 36
static const char letters[] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
int mkstemp( char *template )
{
char *filename;
char *marker;
char *replace_start;
ssize_t templatelen;
ssize_t i;
ssize_t count_X;
if ( template == NULL ) {
errno = EINVAL;
return -1;
}
templatelen = strlen( template ) + 1;
if ( templatelen < 6 ) {
errno = EINVAL;
return -1;
}
filename = malloc( templatelen );
if ( filename == NULL ) {
errno = EINVAL;
return -1;
}
replace_start = NULL;
count_X = 0;
for ( i = templatelen - 2; i >= 0; i-- ) {
if ( template[i] != 'X' ) {
if ( count_X < 6 ) {
errno = EINVAL;
return -1;
} else {
replace_start = &(template[i+1]);
break;
}
}
count_X++;
}
for ( i = 0; i < TRYTIMES; i++ ) {
char *p;
unsigned long v;
int fd;
v = 0;
for ( p = replace_start; *p; p++ ) {
if ( v < NUMLETTERS ) {
/* seems like we ran out of bits */
/* unfair? maybe. */
v = rand();
}
*p = letters[v % NUMLETTERS];
v = v / NUMLETTERS;
}
fd = open( filename, O_CREAT | O_EXCL );
if ( fd == -1 ) {
continue;
}
memmove( template, filename, templatelen );
return fd;
}
errno = EEXIST;
return -1;
}
----
Kenichi Okuyama at Tokyo Research Lab. IBM-Japan, Co.
More information about the samba-technical
mailing list