Re: ACT announces availability of GNAT 3.14p

[Kilgallen@SpamCop.net (Larry Kilgallen)]

In article <87k7tkkqbo.fsf@deneb.enyo.de>, Florian Weimer <fw@deneb.enyo.de> writes:
> dewar@gnat.com (Robert Dewar) writes:
> 
>> You misunderstand what I am saying. When the user asks for
>> a temporary file *explicitly* (nothing silent about that),
>> then the temporary file goes in TMP, which seems the right
>> semantics for a Unix environment to us. If you are concerned about the
>> security issue, e.g. if you are writing a setuid program in Ada, then
>> most certainly I would advise against explicit use of temporary files
>> in the Ada sense.
> 
> You are mixing two things here.  (Maybe I have been mixing these two
> things, too, but I don't think so!)  The problem in GNAT 3.14p and
> earlier affects *all* programs running on a multi-user system which
> create temporary files.  As a result, you cannot use the Ada temporary
> file facility at all, at least if you care about security.

I believe saying "*all* programs running on a multi-user system which
create temporary files" is overly broad.  If GNAT is conforming to
operating system expectations as Robert Dewar said, then on VMS
it might use SYS$SCRATCH as the storage area, and by default that
is fully protected from other unprivileged users.  If for some
reason you want to reduce the security on a VMS system, there are
steps you can take to make SYS$SCRATCH not be protected from other
unprivileged users.  (Actually, VMS has a different mechanism that
GNAT might also use that puts the file into no directory.)

I would hope that on Unix there is some way to redefine /tmp so
as to provide more protection.  But attempting to make the default
use of /tmp by an Ada program more secure than the default use of /tmp
by a shell script will be effective only if you also prevent use of
/tmp by shell scripts.