Date: Thu, 17 Jun 2010 15:13:02 -0700 From: Xin LI <delphij@delphij.net> To: Peter Jeremy <peterjeremy@acm.org> Cc: "freebsd-stable@freebsd.org" <freebsd-stable@FreeBSD.ORG>, "delphij@freebsd.org" <delphij@FreeBSD.ORG>, d@delphij.net Subject: Re: [Stable 7] CPIO breakage/ Message-ID: <4C1A9DEE.8040203@delphij.net> In-Reply-To: <20100617205302.GA60347@server.vk2pj.dyndns.org> References: <1276639800.2462.80.camel@localhost.localdomain> <1276646707.2462.82.camel@localhost.localdomain> <4C18195A.3020501@delphij.net> <20100617205302.GA60347@server.vk2pj.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------000105070706050203070008 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2010/06/17 13:53, Peter Jeremy wrote: > On 2010-Jun-15 17:22:50 -0700, Xin LI <delphij@delphij.net> wrote: >> On 2010/06/15 17:05, Sean Bruno wrote: >>> A little more background. It looks like symlinks are getting stripped >>> of their '/' which sucks. Ideas? > ... >>> e.g. /home/foo/bar -> /opt/baz/blob >>> >>> becomes >>> >>> home/foo/bar -> opt/baz/blob >>> >>> Yuck. >> >> This is a security measurement I think. > > Can someone please explain how stripping a leading '/' off the > destination of a symlink enhances security? The destination is > not being written to. > >> --absolute-filenames disables this behavior. > > This definitely reduces security and would seem to be far more > dangerous than being able to create symlinks to absolute pathnames. Sorry I have misunderstood the original issue. It's the link target being mangled and doesn't seem right to me. I'll ask the author about this. The attached patch should restore the old behavior. Cheers, - -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBCAAGBQJMGp3tAAoJEATO+BI/yjfBIkIH/0buRkFHzuflR49XomlHNk4Q uG8uY9/tlyBH6hNTnAqOfjGZLRM500nIifathpIeMd5BNvt2m6OLnuCHlX0Fu7LV nc83dS4nL1URp1gZqDrRcXTYMlV+2mASslyz/HpqJSIYx/sfKgRujWoqQr6Qufmu qAMt0324UYIABlPo/M4tsU9LQoPheQLBq+FozcUvxwdoQsy5H1fCaNI4efwTpGNR CLvBypCRw8ALnoOQAYWQXQF6x/tEO33Y5DVloDh1B/5haSTFmKJK8rlRucY6A731 QysspgLtRMJ7NWJfCbJr7mA/4aqqDMzg3bIZzkgYmGUoV0EsHy5tQQKdkz1I1Mw= =A705 -----END PGP SIGNATURE----- --------------000105070706050203070008 Content-Type: text/plain; name="cpio.diff" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="cpio.diff" SW5kZXg6IGNvbnRyaWIvY3Bpby9zcmMvY29weW91dC5jCj09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIGNv bnRyaWIvY3Bpby9zcmMvY29weW91dC5jCShyZXZpc2lvbiAyMDkyMTYpCisrKyBjb250cmli L2NwaW8vc3JjL2NvcHlvdXQuYwkod29ya2luZyBjb3B5KQpAQCAtODM2LDkgKzgzNiw2IEBA IHByb2Nlc3NfY29weV9vdXQgKCkKIAkJICAgIGNvbnRpbnVlOwogCQkgIH0KIAkJbGlua19u YW1lW2xpbmtfc2l6ZV0gPSAwOwotCQljcGlvX3NhZmVyX25hbWVfc3VmZml4IChsaW5rX25h bWUsIGZhbHNlLAotCQkJCQlhYnNfcGF0aHNfZmxhZywgdHJ1ZSk7Ci0JCWxpbmtfc2l6ZSA9 IHN0cmxlbiAobGlua19uYW1lKTsKIAkJZmlsZV9oZHIuY19maWxlc2l6ZSA9IGxpbmtfc2l6 ZTsKIAkJaWYgKGFyY2hpdmVfZm9ybWF0ID09IGFyZl90YXIgfHwgYXJjaGl2ZV9mb3JtYXQg PT0gYXJmX3VzdGFyKQogCQkgIHsKSW5kZXg6IGNvbnRyaWIvY3Bpby9zcmMvdXRpbC5jCj09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0KLS0tIGNvbnRyaWIvY3Bpby9zcmMvdXRpbC5jCShyZXZpc2lvbiAyMDky MTYpCisrKyBjb250cmliL2NwaW8vc3JjL3V0aWwuYwkod29ya2luZyBjb3B5KQpAQCAtMTI1 Miw4ICsxMjUyLDI1IEBAIHN0YXRfdG9fY3BpbyAoc3RydWN0IGNwaW9fZmlsZV9zdGF0ICpo ZHIsIHN0cnVjdCBzCiAgIGhkci0+Y191aWQgPSBDUElPX1VJRCAoc3QtPnN0X3VpZCk7CiAg IGhkci0+Y19naWQgPSBDUElPX0dJRCAoc3QtPnN0X2dpZCk7CiAgIGhkci0+Y19ubGluayA9 IHN0LT5zdF9ubGluazsKLSAgaGRyLT5jX3JkZXZfbWFqID0gbWFqb3IgKHN0LT5zdF9yZGV2 KTsKLSAgaGRyLT5jX3JkZXZfbWluID0gbWlub3IgKHN0LT5zdF9yZGV2KTsKKworICBzd2l0 Y2ggKGhkci0+Y19tb2RlICYgQ1BfSUZNVCkKKyAgeworICAgIGNhc2UgQ1BfSUZCTEs6Cisg ICAgY2FzZSBDUF9JRkNIUjoKKyNpZmRlZiBDUF9JRklGTworICAgIGNhc2UgQ1BfSUZJRk86 CisjZW5kaWYKKyNpZmRlZiBDUF9JRlNPQ0sKKyAgICBjYXNlIENQX0lGU09DSzoKKyNlbmRp ZgorICAgICAgaGRyLT5jX3JkZXZfbWFqID0gbWFqb3IgKHN0LT5zdF9yZGV2KTsKKyAgICAg IGhkci0+Y19yZGV2X21pbiA9IG1pbm9yIChzdC0+c3RfcmRldik7CisgICAgICBicmVhazsK KyAgICBkZWZhdWx0OgorICAgICAgaGRyLT5jX3JkZXZfbWFqID0gMDsKKyAgICAgIGhkci0+ Y19yZGV2X21pbiA9IDA7CisgICAgICBicmVhazsKKyAgfQogICBoZHItPmNfbXRpbWUgPSBz dC0+c3RfbXRpbWU7CiAgIGhkci0+Y19maWxlc2l6ZSA9IHN0LT5zdF9zaXplOwogICBoZHIt PmNfY2hrc3VtID0gMDsK --------------000105070706050203070008--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C1A9DEE.8040203>