From owner-cvs-all Mon Apr 6 11:39:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA05084 for cvs-all-outgoing; Mon, 6 Apr 1998 11:39:16 -0700 (PDT) (envelope-from owner-cvs-all@FreeBSD.ORG) Received: from spinner.netplex.com.au (spinner.netplex.com.au [202.12.86.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA05074 for ; Mon, 6 Apr 1998 11:39:12 -0700 (PDT) (envelope-from peter@netplex.com.au) Received: from spinner.netplex.com.au (localhost [127.0.0.1]) by spinner.netplex.com.au (8.8.8/8.8.8/Spinner) with ESMTP id CAA16914; Tue, 7 Apr 1998 02:38:45 +0800 (WST) (envelope-from peter@spinner.netplex.com.au) Message-Id: <199804061838.CAA16914@spinner.netplex.com.au> X-Mailer: exmh version 2.0.2 2/24/98 To: =?koi8-r?B?4c7E0sXKIP7F0s7P1w==?= cc: committers@FreeBSD.ORG Subject: Re: cvs commit: src/sys/kern vfs_vnops.c src/sys/sys fcntl.h In-reply-to: Your message of "Mon, 06 Apr 1998 22:16:22 +0400." <19980406221622.37671@nagual.pp.ru> Date: Tue, 07 Apr 1998 02:38:44 +0800 From: Peter Wemm Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk =?koi8-r?B?4c7E0sXKIP7F0s7P1w==?= wrote: > > In article <199804061738.KAA02766.kithrup.freebsd.cvs-all@freefall.freebsd. org> you write: > > > sys/kern vfs_vnops.c > > > sys/sys fcntl.h > > > Log: > > > Implement a new open(2) flag: O_NOFOLLOW. This will instruct open > > > to not follow symlinks, but to open a handle on the link itself(!). > > > As strange as this might sound, it has several useful applications > > > safe race-free ways of opening files in hostile areas (eg: /tmp, a mode > > > 1777 /var/mail, etc). It also would allow things like fchown() to work > > > on the link rather than having to implement a new syscall specifically f or > > > that task. > > > If we talk about /tmp links security problem, this change require > modification of each application, which isn't sounds well. Better hack > will be to treat 't' bit of directory as 'not follow symlink' instruction > in the kernel. It autoumatically fix all known /tmp races without > applications modification. This has been thrashed out again and again on lists like bugtraq. That sort of thing is not really a "fix" to the problem - because if the symlink race is being done under user control (eg: user causing a setuid program that has a bug), the odds are that it'll use $TMPDIR or something else silly. Then, the user can mkdir $HOME/tmp, set TMPDIR to $HOME/tmp and do exactly what they please without any "protection" from 't' bit hacks. Cheers, -Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message