1c81d8f5eSmrgXCOMM!/bin/sh
26f02d4e9SmrgXCOMM Copyright (c) 2008-2012 Apple Inc.
3c81d8f5eSmrgXCOMM
4c81d8f5eSmrgXCOMM Permission is hereby granted, free of charge, to any person
5c81d8f5eSmrgXCOMM obtaining a copy of this software and associated documentation files
6c81d8f5eSmrgXCOMM (the "Software"), to deal in the Software without restriction,
7c81d8f5eSmrgXCOMM including without limitation the rights to use, copy, modify, merge,
8c81d8f5eSmrgXCOMM publish, distribute, sublicense, and/or sell copies of the Software,
9c81d8f5eSmrgXCOMM and to permit persons to whom the Software is furnished to do so,
10c81d8f5eSmrgXCOMM subject to the following conditions:
11c81d8f5eSmrgXCOMM
12c81d8f5eSmrgXCOMM The above copyright notice and this permission notice shall be
13c81d8f5eSmrgXCOMM included in all copies or substantial portions of the Software.
14c81d8f5eSmrgXCOMM
15c81d8f5eSmrgXCOMM THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16c81d8f5eSmrgXCOMM EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17c81d8f5eSmrgXCOMM MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18c81d8f5eSmrgXCOMM NONINFRINGEMENT.  IN NO EVENT SHALL THE ABOVE LISTED COPYRIGHT
19c81d8f5eSmrgXCOMM HOLDER(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
20c81d8f5eSmrgXCOMM WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21c81d8f5eSmrgXCOMM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
22c81d8f5eSmrgXCOMM DEALINGS IN THE SOFTWARE.
23c81d8f5eSmrgXCOMM
24c81d8f5eSmrgXCOMM Except as contained in this notice, the name(s) of the above
25c81d8f5eSmrgXCOMM copyright holders shall not be used in advertising or otherwise to
26c81d8f5eSmrgXCOMM promote the sale, use or other dealings in this Software without
27c81d8f5eSmrgXCOMM prior written authorization.
28c81d8f5eSmrg
29c81d8f5eSmrgXCOMM Make sure these are owned by root
30c81d8f5eSmrg
31c81d8f5eSmrgXCOMM Our usage of mktemp fails with GNU, so prefer /usr/bin to hopefully
32c81d8f5eSmrgXCOMM get BSD mktemp
33c81d8f5eSmrgif [ -x /usr/bin/mktemp ] ; then
34c81d8f5eSmrg    MKTEMP=/usr/bin/mktemp
35c81d8f5eSmrgelse
36c81d8f5eSmrg    MKTEMP=mktemp
37c81d8f5eSmrgfi
38c81d8f5eSmrg
396f02d4e9SmrgSTAT=/usr/bin/stat
406f02d4e9Smrg
41c81d8f5eSmrgfor dir in /tmp/.ICE-unix /tmp/.X11-unix /tmp/.font-unix ; do
426f02d4e9Smrg	success=0
436f02d4e9Smrg	for attempt in 1 2 3 4 5 ; do
446f02d4e9Smrg		check=`${STAT} -f '%#p %u %g' ${dir} 2> /dev/null`
456f02d4e9Smrg		if [ "${check}" = "041777 0 0" ] ; then
466f02d4e9Smrg			success=1
476f02d4e9Smrg			break
486f02d4e9Smrg		elif [ -n "${check}" ] ; then
496f02d4e9Smrg			saved=$(${MKTEMP} -d ${dir}-XXXXXXXX)
506f02d4e9Smrg			mv ${dir} ${saved}
516f02d4e9Smrg			echo "${dir} exists but is insecure.  It has been moved into ${saved}" >&2
526f02d4e9Smrg		fi
536f02d4e9Smrg
546f02d4e9Smrg		# Use mktemp rather than mkdir to avoid possible security issue
556f02d4e9Smrg		# if $dir exists and is a symlink (ie protect against a race
566f02d4e9Smrg		# against the above check)
57fd549268Smrg		if ${MKTEMP} -d ${dir} > /dev/null 2>&1 ; then
586f02d4e9Smrg			chmod 1777 $dir
596f02d4e9Smrg			chown root:wheel $dir
606f02d4e9Smrg			success=1
616f02d4e9Smrg			break
626f02d4e9Smrg		fi
636f02d4e9Smrg	done
646f02d4e9Smrg
656f02d4e9Smrg	if [ "${success}" -eq 0 ] ; then
666f02d4e9Smrg		echo "Could not successfully create ${dir}" >&2
67c81d8f5eSmrg	fi
68c81d8f5eSmrgdone
69