Apache OpenOffice (AOO) Bugzilla – Issue 10863
Referenced "mktemp" program in installation script not available in Solaris
Last modified: 2008-05-17 23:23:06 UTC
The install script references a program called "mktemp" (line 107) to create a temporary filename. This program isn't on a Solaris system, nor does one come with OpenOffice v1.0.2. The workaround is to replace the TMPFILE line to that used in the previous version of install, from: TMPFILE=`mktemp -q /tmp/$0.XXXXXX` to TMPFILE="/tmp/${USER}_autoresponse.conf" A better solution will be needed in order to conform to the notion of avoiding race conditions (which the TMPFILE doesn't do). Maybe you can use the PID in the filename to create a unique name: TMPFILE="/tmp/${USER}_autoresponse-$$.conf"
Hi Martin, do you know who is responsible for these install scripts?
reassigned
Hi, The change to "mktemp" was made to explicitly handle the race issue. From what I can tell, "mktemp" does exist on most BSD systems and on Linux. Can anyone familiar with Solaris please let me know how shell scripts can securely create temp files under Solaris? Once I know that I can simply check uname and use the race free method specific to that system. I do not want to revert to the old way (the fear of someone using the install script to wipe out /etc/passwd or something else important is too great). So I guess in the short term I can check which system you are on and revert to the unsafe method only for Soalris, but that doesn't seem like a good solution to me at all. So if someone more familiar with Solaris 8 and 9 could tell me what is the safe way to create a temp file from a shell script I would be happy to fix this. Thanks, Kevin
I confirm this issue. Is it also present in 1.1Beta2? If so, we should solve it before RC, I think.
Yes, it is also in 1.1Beta2. Sander, how did you worked around this? Or you do not use install.sh?
Hi, There really is no completely safe way to solve this for Soalris. They technically do not have the equivalent of mtemp yet using other approaches may leave the root user at the mercy of code that can take advantage of the race and thereby get the root user to damage his/her own system. I would rather we simply edit the install.sh to abort under Solaris (or any other platform were mktemp can't be found) and instead instruct the user to enter the proper ./setup -net command manually. Sorry but unless someone on Solaris can come up with a secure replacement for mktemp usable from the shell script we really should not allow the use of install.sh My 2 cents, Kevin
i think stopp on solaris - or alternatively, don't bundle on solaris would imho either be fine
Hi, Resolving this as fixed since patches went into post OOo 1.1 Beta 2 to prevent "install" from being included under Solaris at all. Thanks, Kevin
Incidentally, mktemp is a free package available from www.mktemp.org/mktemp . With the package installed, installation under Solaris 2.7 works fine for me. I don't know if bundling mktemp is an option or not, but it might be considered...
*** Issue 16307 has been marked as a duplicate of this issue. ***
Created attachment 7332 [details] Freeware software "mktemp" built for Sun Solaris
The Issue you raised has been marked as 'Resolved' and not updated within the last 1 year+. I am therefore setting this issue to 'Verified' as the first step towards Closing it. If you feel this is incorrect, please re-open the issue and add any comments. Many thanks, Andrew Cleaning-up and Closing old Issues ~ The Grand Bug Squash, pre v3 ~ http://marketing.openoffice.org/3.0/announcementbeta.html
As per previous posting: Verified -> Closed. A Closed Issue is a Happy Issue (TM). Regards, Andrew