Xref: utzoo comp.sources.d:2892 news.admin:3843 Path: utzoo!attcan!uunet!mcvax!hp4nl!rivm!ccea3 From: ccea3@rivm.UUCP (Adri Verhoef) Newsgroups: comp.sources.d,news.admin Subject: Re: arbitron program (v2.4.2--last updated 4 June 1987) Summary: A more secure script Keywords: security Message-ID: <1110@rivm05.UUCP> Date: 2 Nov 88 10:59:16 GMT References: <16091@decwrl.dec.com> Reply-To: ccea3@rivm05.UUCP (Adri Verhoef) Organization: RIVM, Bilthoven, The Netherlands Lines: 83 ># arbitron -- this program produces rating sweeps for USENET. I made a few enhancements to the script, so that it runs more secure, e.g.: 1) Instead of temporary awk-scripts that are placed in $TMPDIR (/tmp), the default value for $TMPDIR will now be /usr/lib/news (i.e. $NEWS). This will make it more secure, as the awk-script cannot be renamed and replaced by other programs by others than root and news/usenet. 2) I introduced two variables, $ARB_PWD and $ARB_FMT, that don't make use of $$, so that these files will be overwritten the next time after a system crash, or if they were not removed. Now you will actually see which and how many tempfiles are used. Diffs follow now: 35d34 < TMPDIR=/tmp 36a36 > TMPDIR=$NEWS 37a38,41 > ARB_PWD=arb.pwd > ARB_FMT=arb.fmt > ARB_ACT=arb.active > ARB_TMP=arb.tmp 79c83 < trap "rm -f $TMPDIR/arb.*.$$; exit" 0 1 2 3 15 --- > trap "rm -f $TMPDIR/arb.*; exit" 0 1 2 3 15 130c134 < s/DATE/$dat/g" > $TMPDIR/arb.fmt.$$ << 'DOG' --- > s/DATE/$dat/g" > $TMPDIR/$ARB_FMT << 'DOG' 179c183 < cat >$TMPDIR/arb.pwd.$$ <<'MOUSE' --- > cat >$TMPDIR/$ARB_PWD <<'MOUSE' 192c196 < else ACTIVE=/tmp/arb.active.$$ --- > else ACTIVE=$TMPDIR/$ARB_ACT 204c208 < awk -F: -f $TMPDIR/arb.pwd.$$ $TMPDIR/arb.tmp.$$ --- > awk -F: -f $TMPDIR/$ARB_PWD $TMPDIR/$ARB_TMP 207c211 < if [ -s $TMPDIR/arb.tmp.$$ ] --- > if [ -s $TMPDIR/$ARB_TMP ] 222,223c226,227 < sort - $TMPDIR/arb.tmp.$$ | < awk -f $TMPDIR/arb.fmt.$$ | --- > sort - $TMPDIR/$ARB_TMP | > awk -f $TMPDIR/$ARB_FMT | You might think that the current version (v2.4.2) of arbitron is the same as the one as of 4 June 1987, but I noticed some slight differences: 9,10c9,10 < # readership survey for your machine and mail that survey to decwrl, with < # a cc to you. --- > # readership survey for your machine and mail that survey to decwrl.dec.com, > # with a cc to you. 13c13 < # run "arbitron" every month. I will run the statistics program on the last --- > # run "arbitron" every month. I will run the statistics program on the first 18c18 < # Brian Reid, DEC Western Research Lab, reid@decwrl --- > # Brian Reid, DEC Western Research Lab, reid@decwrl.dec.com 59,61c59,60 < # uucp path: {ihnp4, decvax, ucbvax}!decwrl!netsurvey < # summarypath="netsurvey@decwrl.dec.com $USER" < summarypath="ihnp4!decwrl!netsurvey $USER" --- > # uucp path: {sun, hplabs, pyramid, decvax, ucbvax}!decwrl!netsurvey > summarypath="netsurvey@decwrl.dec.com $USER" 62a62 > 230a231,232 > >