I'm forwarding this message form Bryan O'Neill, who is not on the time zone mailing list. Those of you who are on the time zone mailing list should direct replies appropriately. --ado ________________________________ From: Bryan O'Neill, President [mailto:support@wake123.com] Sent: Tuesday, February 27, 2007 11:08 AM To: tz@lecserver.nci.nih.gov Subject: New DST Rules for 2007 Ladies & Gentlemen, I asked a question on linuxquestions.org about what exact commands I would need to install your patch that will update the new DST rules on my RH 8.0 pc. One guy responded with the following: ]$ cd /tmp && { mkdir tz && cd tz || exit 1; } wget -q 'ftp://elsie.nci.nih.gov/pub/tz*.tar.gz' || exit ]$ gzip -dc tzcode*.tar.gz | tar -xf - ]$ gzip -dc tzdata*.tar.gz | tar -xf - ]$ which nawk >/dev/null 2>&1|| { sed -i 's|nawk|gawk|g' Makefile || exit 1; } ]$ LOCALTIMEVAR0=`grep ^ZONE= /etc/sysconfig/clock 2>/dev/null| awk -F'=' '{print $2}'|tr -d '"'` ]$ LOCALTIMEVAR1=`make zonenames 2>/dev/null|grep -m1 $LOCALTIMEVAR0|awk '{print $1}'` ]$ [ -n $LOCALTIMEVAR1 ] || exit 1 && { sed -i "s|Factory|$LOCALTIMEVAR1|g" Makefile \ && make install; echo 'Done!'; } The blue code I've already done and I understand. But what about the green code? Do you see anything there that may create something malcious or unsecure? I don't think so but I wanted to get your more educated & trusted opinion. Is it correct for east coast time zone (New York)? Thanks! -Bryan
I'm forwarding this message form Bryan O'Neill, who is not on the time zone mailing list.
[...]
I asked a question on linuxquestions.org about what exact commands I would need to install your patch that will update the new DST rules on my RH 8.0 pc. One guy responded with the following: [snip] Do you see anything there that may create something malcious or unsecure?
I decided not to bore the whole list with the fairly detailed response I mailed to Bryan, but figured I'd leave a briefer synopsis here for the archives: * While I don't know about 8.0 specifically, I do know that repositories for some other Red Hat releases are up-to-date enough that a simple "yum update tzdata" would probably a better solution for the Bryan's stated goals. * The code quoted was not malicious, nor inherently insecure (there are some circumstances where security problems might arise, such as a compromised tzcode tarball being downloaded, but these are issues outside the scope of what the given code snippet can be expected to address). Furthermore, though I do have some quibbles with the code as not setting the best example in quality (using several commands where a smaller number of simple ones would have sufficed), it *is* written with saftey in mind: it takes pains to "exit" whenever something might not work as planned, rather than risk falling through and potentially doing damage. * The code snippet installs to the tzcode default of /usr/local/zoneinfo, which is wrong for the goal of ensuring that the *system* will use the new rules. If recompiling from source (as opposed to using a newer rpm) is desired, editing the TOPDIR setting in the makefile (or setting it on the "make" command-line) is needed. --Ken Pizzini
participants (2)
-
Ken Pizzini -
Olson, Arthur David (NIH/NCI) [E]