From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:37297)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jbaron@redhat.com>) id 1TkeGQ-0008Dw-RF
	for qemu-devel@nongnu.org; Mon, 17 Dec 2012 12:14:04 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jbaron@redhat.com>) id 1TkeGP-0004Nk-Ki
	for qemu-devel@nongnu.org; Mon, 17 Dec 2012 12:14:02 -0500
Received: from mx1.redhat.com ([209.132.183.28]:7923)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jbaron@redhat.com>) id 1TkeGP-0004NW-EA
	for qemu-devel@nongnu.org; Mon, 17 Dec 2012 12:14:01 -0500
Date: Mon, 17 Dec 2012 12:13:59 -0500
From: Jason Baron <jbaron@redhat.com>
Message-ID: <20121217171359.GA4648@redhat.com>
References: <CAAu8pHuweRYQq=DdE+ZLODCdD1S-qS-jx_FyRZQYmDJqzeKBXg@mail.gmail.com>
	<945049786.24997408.1355562854731.JavaMail.root@redhat.com>
	<CAAu8pHuTrQ8CX4u3+=5qxXQxcKndyf4xFbRJGt2Zs=KrTq+6iQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAAu8pHuTrQ8CX4u3+=5qxXQxcKndyf4xFbRJGt2Zs=KrTq+6iQ@mail.gmail.com>
Subject: Re: [Qemu-devel] [PATCH 1/3] qtest: Enable creation of multiple
 qemu instances
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Blue Swirl <blauwirbel@gmail.com>
Cc: kwolf@redhat.com, Paolo Bonzini <pbonzini@redhat.com>, aliguori@us.ibm.com, qemu-devel@nongnu.org, quintela@redhat.com

On Sat, Dec 15, 2012 at 09:20:13AM +0000, Blue Swirl wrote:
> On Sat, Dec 15, 2012 at 9:14 AM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> >> > +#define QTEST_FILE_TEMP "/tmp/qtest-%d.sock"
> >> > +#define QTEST_QMP_FILE_TEMP "/tmp/qtest-%d.qmp"
> >> > +#define QTEST_PID_FILE_TEMP "/tmp/qtest-%d.pid"
> >>
> >> These filenames are too predictable from security point of view,
> >
> > This need not be secure as long as the file is created with 0600
> > permissions.  In fact, inspecting the pid file from the shell can
> > be useful.
> 
> Permissions do not help at all because the attacker could for example
> target overwriting of a critical file.
> 
> >
> > However, using mkstemp() on a prefix that includes the parent pid
> > can indeed be the best of both worlds.
> 
> Yes.
> 
> >
> > Paolo
> 

Yes, but mkstemp() creates the file, and bind() returns EADDRINUSE, if the file
already exists.

Using mktemp() in this case, with bind() should be ok, since bind() checks if
the file exists and then creates it, if not, all within the bind() system call
(so its atomic).

Thanks,

-Jason