From debbugs-submit-bounces@debbugs.gnu.org Fri Sep 01 11:08:20 2017 Received: (at submit) by debbugs.gnu.org; 1 Sep 2017 15:08:20 +0000 Received: from localhost ([127.0.0.1]:40351 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dnnYR-0007Kn-SO for submit@debbugs.gnu.org; Fri, 01 Sep 2017 11:08:20 -0400 Received: from eggs.gnu.org ([208.118.235.92]:54910) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dnkte-0002re-W4 for submit@debbugs.gnu.org; Fri, 01 Sep 2017 08:18:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dnktU-0001FV-Ox for submit@debbugs.gnu.org; Fri, 01 Sep 2017 08:17:57 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:35403) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dnktU-0001FR-Lt for submit@debbugs.gnu.org; Fri, 01 Sep 2017 08:17:52 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45881) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnktP-0000vV-Q7 for bug-automake@gnu.org; Fri, 01 Sep 2017 08:17:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dnktL-0001D6-5X for bug-automake@gnu.org; Fri, 01 Sep 2017 08:17:47 -0400 Received: from mail-lf0-x243.google.com ([2a00:1450:4010:c07::243]:36608) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dnktK-0001CR-Tg for bug-automake@gnu.org; Fri, 01 Sep 2017 08:17:43 -0400 Received: by mail-lf0-x243.google.com with SMTP id l140so25976lfg.3 for ; Fri, 01 Sep 2017 05:17:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=/3nvDsBwWCHXwgYfLFufyBgrgwfU8HPTFViR+nvXc6o=; b=eYTqlNJsUjN8z0V93B0ceD3GBHYxmQ192kwreR1CBdkimLCHA/DS8lM9BQYXBpV2Jy 02SLWclCyAEOfbRNS0SD6AvwW+sSo/+8gp/QShkvzcdan6lxnv+sKhK3b6BTAngqBymM cQPIM83U/jTknHlLw9RzUsSWzJHplbCh+g9RkT1n3PF6eXEnyC9Ih6otDFJP8mAW04iQ o2N2jr2Mj0P2TONnV5EKMoomwkFkkPFrywrGMq5kyjZ8phiqaw0R7nCHXaAhLu5ooy5k n4/QCcrBJDL1CNCPjPaOaRwQcFFeXOjvIz8PtVmPwMZ3GtbON3uN7KuveuvJjBk8zJvV h+HA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=/3nvDsBwWCHXwgYfLFufyBgrgwfU8HPTFViR+nvXc6o=; b=WpJiecScJb3mSgO0wjl0ZALqKl8GhYoV3XO2/LHEyHBVhRzvH8g9MPd57KQ8OJYa1j LQligY8aOSnMd7g/xaPUqISwBydF0WT+VEKMsaI58fZlz1BuhXMMel0NUUfaNZhv10Nn milTWu1RQF3Z1vWQbGIhdlST0mCmgCxSL/4lE4AOwK2tGjCW2YVGPq3oHar6VRt5s9Dt uCmlfJao5fH1fNzybjoEkCTuUuA53jqj0YGqpAQsfEjIb5de1a+VFXgZ5OvYkkghAOVe wQlNSiNauGbuXXNGQ4447jrzQKwcepclQ2qY+j9/jhuHBq4acPIuZbrQxDCuywLHdHW+ RWJA== X-Gm-Message-State: AHPjjUgMlhZAmSd+Z2+e04alaSmroxKJ41F2OxUpDe3jXnislYaiGwtF vx56tor9yUKi1sHmVMrz6ZuC818YgPnp X-Google-Smtp-Source: ADKCNb77pK2bu4wdt/Reb1ap+VkBoJ5v2Ufolg2q2bqNdGUza+aaTyLL52rVSvWw5aVasa2kRAPIhP0Py9NWkVNRtaY= X-Received: by 10.46.7.79 with SMTP id i15mr709466ljd.111.1504268259553; Fri, 01 Sep 2017 05:17:39 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.209.139 with HTTP; Fri, 1 Sep 2017 05:17:38 -0700 (PDT) From: Neven Sajko Date: Fri, 1 Sep 2017 14:17:38 +0200 Message-ID: Subject: Non-portable sh script - $RANDOM To: bug-automake@gnu.org Content-Type: text/plain; charset="UTF-8" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Fri, 01 Sep 2017 11:08:17 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) automake version 1.15.1, also in latest git master. See https://git.savannah.gnu.org/cgit/automake.git/tree/lib/install-sh#n327 The RANDOM variable giving pseudo-random numbers is not a POSIX sh feature. Dash, for example, does not implement it. So line 327 is probably wrong. Maybe this would work instead: random=`dd 'if=/dev/urandom' 'count=1' 'bs=256' 2>/dev/null | cksum | sed "$r"`\ `date -u | cksum | sed "$r"` If this fix is correct, maybe you would also like to update https://git.savannah.gnu.org/cgit/automake.git/tree/lib/config.guess#n104 Regards From debbugs-submit-bounces@debbugs.gnu.org Fri Sep 01 13:13:48 2017 Received: (at control) by debbugs.gnu.org; 1 Sep 2017 17:13:48 +0000 Received: from localhost ([127.0.0.1]:40487 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dnpVs-0001nj-Ce for submit@debbugs.gnu.org; Fri, 01 Sep 2017 13:13:48 -0400 Received: from mx1.redhat.com ([209.132.183.28]:54386) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dnpVq-0001nQ-Ad; Fri, 01 Sep 2017 13:13:46 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D0D13C0467D5; Fri, 1 Sep 2017 17:13:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com D0D13C0467D5 Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=eblake@redhat.com Received: from [10.10.121.149] (ovpn-121-149.rdu2.redhat.com [10.10.121.149]) by smtp.corp.redhat.com (Postfix) with ESMTP id 363ED7B08B; Fri, 1 Sep 2017 17:13:40 +0000 (UTC) Subject: Re: bug#28317: Non-portable sh script - $RANDOM To: Neven Sajko , 28317-done@debbugs.gnu.org References: From: Eric Blake Openpgp: url=http://people.redhat.com/eblake/eblake.gpg Organization: Red Hat, Inc. Message-ID: Date: Fri, 1 Sep 2017 12:13:39 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Gnm7l7hO51Iou4AGp6BOVnem8WU0obaFM" X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Fri, 01 Sep 2017 17:13:41 +0000 (UTC) X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Gnm7l7hO51Iou4AGp6BOVnem8WU0obaFM Content-Type: multipart/mixed; boundary="LOU2FnC7jgkMAjs2L04dP0h60xJwIcQFx"; protected-headers="v1" From: Eric Blake To: Neven Sajko , 28317-done@debbugs.gnu.org Message-ID: Subject: Re: bug#28317: Non-portable sh script - $RANDOM References: In-Reply-To: --LOU2FnC7jgkMAjs2L04dP0h60xJwIcQFx Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable tag 28317 notabug thanks On 09/01/2017 07:17 AM, Neven Sajko wrote: > automake version 1.15.1, also in latest git master. >=20 > See >=20 > https://git.savannah.gnu.org/cgit/automake.git/tree/lib/install-sh#n327= Let's look at it in context: *) tmpdir=3D${TMPDIR-/tmp}/ins$RANDOM-$$ trap 'ret=3D$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit= $ret' 0 if (umask $mkdir_umask && exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1 then if test -z "$dir_arg" || { # Check for POSIX incompatibilities with -m. # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or # other-writable bit of parent directory when it shouldn't. # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. ls_ld_tmpdir=3D`ls -ld "$tmpdir"` case $ls_ld_tmpdir in d????-?r-*) different_mode=3D700;; d????-?--*) different_mode=3D755;; *) false;; esac && $mkdirprog -m$different_mode -p -- "$tmpdir" && { ls_ld_tmpdir_1=3D`ls -ld "$tmpdir"` test "$ls_ld_tmpdir" =3D "$ls_ld_tmpdir_1" } } then posix_mkdir=3D: fi rmdir "$tmpdir/d" "$tmpdir" else # Remove any dirs left behind by ancient mkdir implementations. rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null fi trap '' 0;; esac;; >=20 > The RANDOM variable giving pseudo-random numbers is not a POSIX sh > feature. Dash, for example, does not implement it. Correct. But for shells that do not implement it, it will expand to the empty string, at which point we are merely naming our directory ins-$$, which is still a (somewhat) random name, because it depends on the pid. True, when $RANDOM is not supported, it's easier to guess the name being used, but the REAL test is whether the code correctly handles the case where an attacker races with your probe of an available name and your subsequent use of the name. _This_ code is specifically calling mkdir (which is race-free) as the only use of $tmpdir, and therefore, even when $RANDOM is not supported, we are not opening ourselves to attack. Therefore, even though we know it is not POSIX, we also don't care. This is not a shortcoming that needs to be patched. > Maybe this would work instead: >=20 > random=3D`dd 'if=3D/dev/urandom' 'count=3D1' 'bs=3D256' 2>/dev/null | c= ksum | sed "$r"`\ > `date -u | cksum | sed "$r"` No, there's no need to furrther complicate something that is already correct even when $RANDOM is empty. --=20 Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org --LOU2FnC7jgkMAjs2L04dP0h60xJwIcQFx-- --Gnm7l7hO51Iou4AGp6BOVnem8WU0obaFM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEEccLMIrHEYCkn0vOqp6FrSiUnQ2oFAlmplUMACgkQp6FrSiUn Q2rEdQf/WLDKfr8sInUl/PuqkeK5EoazkMhnogmYDnVdUfqDDuOtoOm/ZUASzXhy 9cGvwTGwo+WjJanMDtMRfyVXthLALPUhDI1z7k9CSKjmKy+C2NmBfCiu9uI06zKN M8TYDW2rdml/wWXnjmjilaEvo8kVLyqBPkolPiaY6UG4zuVRBGyavtd3LdwXFSep 2mI8ZxtvfFXZYGRx7l/MG7Zv6u8YrsGBQiC5CLdtLYnA7ZlrbmWM8Y5bR7R2PF2B IrRo1ViRKhqsvD9CZSC2oFTuiJbjTM5MyWd+KYPiI6kHRB8F5ST7AVOsJ0xiWFRs bte6gSpHLHeINmu7lus52Llt9ekwaQ== =biLY -----END PGP SIGNATURE----- --Gnm7l7hO51Iou4AGp6BOVnem8WU0obaFM-- From debbugs-submit-bounces@debbugs.gnu.org Fri Sep 01 13:40:20 2017 Received: (at 28317) by debbugs.gnu.org; 1 Sep 2017 17:40:20 +0000 Received: from localhost ([127.0.0.1]:40525 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dnpvY-0004Fs-1i for submit@debbugs.gnu.org; Fri, 01 Sep 2017 13:40:20 -0400 Received: from eggs.gnu.org ([208.118.235.92]:55049) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dnpvX-0004Ff-BT for 28317@debbugs.gnu.org; Fri, 01 Sep 2017 13:40:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dnpvQ-0001lo-RJ for 28317@debbugs.gnu.org; Fri, 01 Sep 2017 13:40:14 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:44053) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnpvQ-0001lf-OR; Fri, 01 Sep 2017 13:40:12 -0400 Received: from [2a01:e35:2ec2:e580:491c:541:7a4a:37d9] (port=39210 helo=localhost.localdomain) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dnpvQ-0005IV-4a; Fri, 01 Sep 2017 13:40:12 -0400 From: Mathieu Lirzin To: nsajko@gmail.com Subject: Re: bug#28317: Non-portable sh script - $RANDOM References: Date: Fri, 01 Sep 2017 19:40:09 +0200 In-Reply-To: (Eric Blake's message of "Fri, 1 Sep 2017 12:13:39 -0500") Message-ID: <87k21i71xi.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 28317 Cc: eblake@redhat.com, 28317@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hello, Eric Blake writes: > tag 28317 notabug > thanks > > On 09/01/2017 07:17 AM, Neven Sajko wrote: >> automake version 1.15.1, also in latest git master. >> >> See >> >> https://git.savannah.gnu.org/cgit/automake.git/tree/lib/install-sh#n327 > > Let's look at it in context: > > *) > tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ > trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit > $ret' 0 > > if (umask $mkdir_umask && > exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >>/dev/null 2>&1 > then > if test -z "$dir_arg" || { > # Check for POSIX incompatibilities with -m. > # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or > # other-writable bit of parent directory when it > shouldn't. > # FreeBSD 6.1 mkdir -m -p sets mode of existing > directory. > ls_ld_tmpdir=`ls -ld "$tmpdir"` > case $ls_ld_tmpdir in > d????-?r-*) different_mode=700;; > d????-?--*) different_mode=755;; > *) false;; > esac && > $mkdirprog -m$different_mode -p -- "$tmpdir" && { > ls_ld_tmpdir_1=`ls -ld "$tmpdir"` > test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" > } > } > then posix_mkdir=: > fi > rmdir "$tmpdir/d" "$tmpdir" > else > # Remove any dirs left behind by ancient mkdir > implementations. > rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null > fi > trap '' 0;; > esac;; > >> >> The RANDOM variable giving pseudo-random numbers is not a POSIX sh >> feature. Dash, for example, does not implement it. > > Correct. But for shells that do not implement it, it will expand to the > empty string, at which point we are merely naming our directory ins-$$, > which is still a (somewhat) random name, because it depends on the pid. > True, when $RANDOM is not supported, it's easier to guess the name being > used, but the REAL test is whether the code correctly handles the case > where an attacker races with your probe of an available name and your > subsequent use of the name. _This_ code is specifically calling mkdir > (which is race-free) as the only use of $tmpdir, and therefore, even > when $RANDOM is not supported, we are not opening ourselves to attack. > > Therefore, even though we know it is not POSIX, we also don't care. > This is not a shortcoming that needs to be patched. > >> Maybe this would work instead: >> >> random=`dd 'if=/dev/urandom' 'count=1' 'bs=256' 2>/dev/null | cksum | sed "$r"`\ >> `date -u | cksum | sed "$r"` > > No, there's no need to furrther complicate something that is already > correct even when $RANDOM is empty. I agree with Eric reasoning. Thanks for the report. -- Mathieu Lirzin GPG: F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37 From unknown Mon Jun 23 23:53:29 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 30 Sep 2017 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator