[Pkg-puppet-devel] [SCM] Puppet packaging for Debian branch, 0.24.x, updated. puppet-0.24.5-rc3-457-g0dee418

James Turnbull james at lovedthanlost.net
Wed Jun 9 19:49:08 UTC 2010


The following commit has been merged in the 0.24.x branch:
commit 0aae57f91dc69b22fb674f8de3a13c22edd07128
Author: Markus Roberts <markus at phage.home>
Date:   Mon Jan 4 23:08:20 2010 -0800

    Backport of tmpfile patch from 0.25.2

diff --git a/lib/puppet/daemon.rb b/lib/puppet/daemon.rb
index 24d7437..19c0c30 100755
--- a/lib/puppet/daemon.rb
+++ b/lib/puppet/daemon.rb
@@ -30,7 +30,7 @@ module Puppet::Daemon
             $stderr.reopen $stdout
             Puppet::Util::Log.reopen
         rescue => detail
-            File.open("/tmp/daemonout", "w") { |f|
+            Puppet::Util.secure_open("/tmp/daemonout", "w") { |f|
                 f.puts "Could not start %s: %s" % [Puppet[:name], detail]
             }
             Puppet.err "Could not start %s: %s" % [Puppet[:name], detail]
diff --git a/lib/puppet/util.rb b/lib/puppet/util.rb
index f8a8721..8822cf5 100644
--- a/lib/puppet/util.rb
+++ b/lib/puppet/util.rb
@@ -429,7 +429,28 @@ module Util
     end
 
     module_function :memory, :thinmark
-end
+
+    def secure_open(file,must_be_w,&block)
+        raise Puppet::DevError,"secure_open only works with mode 'w'" unless must_be_w == 'w'
+        raise Puppet::DevError,"secure_open only requires a block"    unless block_given?
+        Puppet.warning "#{file} was a symlink to #{File.readlink(file)}" if File.symlink?(file)
+        if File.exists?(file) or File.symlink?(file)
+            wait = File.symlink?(file) ? 5.0 : 0.1
+            File.delete(file)
+            sleep wait # give it a chance to reappear, just in case someone is actively trying something.
+        end
+        begin
+            File.open(file,File::CREAT|File::EXCL|File::TRUNC|File::WRONLY,&block)
+        rescue Errno::EEXIST
+            desc = File.symlink?(file) ? "symlink to #{File.readlink(file)}" : File.stat(file).ftype
+            puts "Warning: #{file} was apparently created by another process (as"
+            puts "a #{desc}) as soon as it was deleted by this process.  Someone may be trying"
+            puts "to do something objectionable (such as tricking you into overwriting system"
+            puts "files if you are running as root)."
+            raise
+        end
+    end
+    module_function :secure_open
 end
 
 require 'puppet/util/errors'
diff --git a/lib/puppet/util/reference.rb b/lib/puppet/util/reference.rb
index 40e49f4..c242d75 100644
--- a/lib/puppet/util/reference.rb
+++ b/lib/puppet/util/reference.rb
@@ -36,7 +36,7 @@ class Puppet::Util::Reference
 
     def self.pdf(text)
         puts "creating pdf"
-        File.open("/tmp/puppetdoc.txt", "w") do |f|
+        Puppet::Util.secure_open("/tmp/puppetdoc.txt", "w") do |f|
             f.puts text
         end
         rst2latex = %x{which rst2latex}
@@ -48,6 +48,7 @@ class Puppet::Util::Reference
         end
         rst2latex.chomp!
         cmd = %{#{rst2latex} /tmp/puppetdoc.txt > /tmp/puppetdoc.tex}
+        Puppet::Util.secure_open('/tmp/puppetdoc.tex','w') {}
         output = %x{#{cmd}}
         unless $? == 0
             $stderr.puts "rst2latex failed"
@@ -168,7 +169,7 @@ class Puppet::Util::Reference
     end
 
     def trac
-        File.open("/tmp/puppetdoc.txt", "w") do |f|
+        Puppet::Util.secure_open("/tmp/puppetdoc.txt", "w") do |f|
             f.puts self.to_trac
         end
 

-- 
Puppet packaging for Debian



More information about the Pkg-puppet-devel mailing list