From owner-freebsd-stable@FreeBSD.ORG Thu Jun 17 22:13:16 2010 Return-Path: Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E3BBE106566C; Thu, 17 Jun 2010 22:13:16 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [IPv6:2001:470:a803::1]) by mx1.freebsd.org (Postfix) with ESMTP id 3DB8C8FC12; Thu, 17 Jun 2010 22:13:16 +0000 (UTC) Received: from mail.geekcn.org (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id BDB33A574A1; Fri, 18 Jun 2010 06:13:14 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by mail.geekcn.org (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with LMTP id JdyrOpfpQT2E; Fri, 18 Jun 2010 06:13:08 +0800 (CST) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 4E82CA57270; Fri, 18 Jun 2010 06:13:06 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type; b=XXICN7oy/n6Svzw7jWpeHUKR4HUlkFbh5gVOzPYeYbXJkT76YsIJ3cYTHYCcIxxYh FJWoWaJwRvTmoD62iMuzA== Message-ID: <4C1A9DEE.8040203@delphij.net> Date: Thu, 17 Jun 2010 15:13:02 -0700 From: Xin LI Organization: The Geek China Organization User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.9) Gecko/20100602 Thunderbird/3.0.4 ThunderBrowse/3.2.8.1 MIME-Version: 1.0 To: Peter Jeremy References: <1276639800.2462.80.camel@localhost.localdomain> <1276646707.2462.82.camel@localhost.localdomain> <4C18195A.3020501@delphij.net> <20100617205302.GA60347@server.vk2pj.dyndns.org> In-Reply-To: <20100617205302.GA60347@server.vk2pj.dyndns.org> X-Enigmail-Version: 1.0.1 OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: multipart/mixed; boundary="------------000105070706050203070008" Cc: "freebsd-stable@freebsd.org" , "delphij@freebsd.org" , d@delphij.net Subject: Re: [Stable 7] CPIO breakage/ X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jun 2010 22:13:17 -0000 This is a multi-part message in MIME format. --------------000105070706050203070008 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2010/06/17 13:53, Peter Jeremy wrote: > On 2010-Jun-15 17:22:50 -0700, Xin LI wrote: >> On 2010/06/15 17:05, Sean Bruno wrote: >>> A little more background. It looks like symlinks are getting stripped >>> of their '/' which sucks. Ideas? > ... >>> e.g. /home/foo/bar -> /opt/baz/blob >>> >>> becomes >>> >>> home/foo/bar -> opt/baz/blob >>> >>> Yuck. >> >> This is a security measurement I think. > > Can someone please explain how stripping a leading '/' off the > destination of a symlink enhances security? The destination is > not being written to. > >> --absolute-filenames disables this behavior. > > This definitely reduces security and would seem to be far more > dangerous than being able to create symlinks to absolute pathnames. Sorry I have misunderstood the original issue. It's the link target being mangled and doesn't seem right to me. I'll ask the author about this. The attached patch should restore the old behavior. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBCAAGBQJMGp3tAAoJEATO+BI/yjfBIkIH/0buRkFHzuflR49XomlHNk4Q uG8uY9/tlyBH6hNTnAqOfjGZLRM500nIifathpIeMd5BNvt2m6OLnuCHlX0Fu7LV nc83dS4nL1URp1gZqDrRcXTYMlV+2mASslyz/HpqJSIYx/sfKgRujWoqQr6Qufmu qAMt0324UYIABlPo/M4tsU9LQoPheQLBq+FozcUvxwdoQsy5H1fCaNI4efwTpGNR CLvBypCRw8ALnoOQAYWQXQF6x/tEO33Y5DVloDh1B/5haSTFmKJK8rlRucY6A731 QysspgLtRMJ7NWJfCbJr7mA/4aqqDMzg3bIZzkgYmGUoV0EsHy5tQQKdkz1I1Mw= =A705 -----END PGP SIGNATURE----- --------------000105070706050203070008 Content-Type: text/plain; name="cpio.diff" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="cpio.diff" SW5kZXg6IGNvbnRyaWIvY3Bpby9zcmMvY29weW91dC5jCj09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIGNv bnRyaWIvY3Bpby9zcmMvY29weW91dC5jCShyZXZpc2lvbiAyMDkyMTYpCisrKyBjb250cmli L2NwaW8vc3JjL2NvcHlvdXQuYwkod29ya2luZyBjb3B5KQpAQCAtODM2LDkgKzgzNiw2IEBA IHByb2Nlc3NfY29weV9vdXQgKCkKIAkJICAgIGNvbnRpbnVlOwogCQkgIH0KIAkJbGlua19u YW1lW2xpbmtfc2l6ZV0gPSAwOwotCQljcGlvX3NhZmVyX25hbWVfc3VmZml4IChsaW5rX25h bWUsIGZhbHNlLAotCQkJCQlhYnNfcGF0aHNfZmxhZywgdHJ1ZSk7Ci0JCWxpbmtfc2l6ZSA9 IHN0cmxlbiAobGlua19uYW1lKTsKIAkJZmlsZV9oZHIuY19maWxlc2l6ZSA9IGxpbmtfc2l6 ZTsKIAkJaWYgKGFyY2hpdmVfZm9ybWF0ID09IGFyZl90YXIgfHwgYXJjaGl2ZV9mb3JtYXQg PT0gYXJmX3VzdGFyKQogCQkgIHsKSW5kZXg6IGNvbnRyaWIvY3Bpby9zcmMvdXRpbC5jCj09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0KLS0tIGNvbnRyaWIvY3Bpby9zcmMvdXRpbC5jCShyZXZpc2lvbiAyMDky MTYpCisrKyBjb250cmliL2NwaW8vc3JjL3V0aWwuYwkod29ya2luZyBjb3B5KQpAQCAtMTI1 Miw4ICsxMjUyLDI1IEBAIHN0YXRfdG9fY3BpbyAoc3RydWN0IGNwaW9fZmlsZV9zdGF0ICpo ZHIsIHN0cnVjdCBzCiAgIGhkci0+Y191aWQgPSBDUElPX1VJRCAoc3QtPnN0X3VpZCk7CiAg IGhkci0+Y19naWQgPSBDUElPX0dJRCAoc3QtPnN0X2dpZCk7CiAgIGhkci0+Y19ubGluayA9 IHN0LT5zdF9ubGluazsKLSAgaGRyLT5jX3JkZXZfbWFqID0gbWFqb3IgKHN0LT5zdF9yZGV2 KTsKLSAgaGRyLT5jX3JkZXZfbWluID0gbWlub3IgKHN0LT5zdF9yZGV2KTsKKworICBzd2l0 Y2ggKGhkci0+Y19tb2RlICYgQ1BfSUZNVCkKKyAgeworICAgIGNhc2UgQ1BfSUZCTEs6Cisg ICAgY2FzZSBDUF9JRkNIUjoKKyNpZmRlZiBDUF9JRklGTworICAgIGNhc2UgQ1BfSUZJRk86 CisjZW5kaWYKKyNpZmRlZiBDUF9JRlNPQ0sKKyAgICBjYXNlIENQX0lGU09DSzoKKyNlbmRp ZgorICAgICAgaGRyLT5jX3JkZXZfbWFqID0gbWFqb3IgKHN0LT5zdF9yZGV2KTsKKyAgICAg IGhkci0+Y19yZGV2X21pbiA9IG1pbm9yIChzdC0+c3RfcmRldik7CisgICAgICBicmVhazsK KyAgICBkZWZhdWx0OgorICAgICAgaGRyLT5jX3JkZXZfbWFqID0gMDsKKyAgICAgIGhkci0+ Y19yZGV2X21pbiA9IDA7CisgICAgICBicmVhazsKKyAgfQogICBoZHItPmNfbXRpbWUgPSBz dC0+c3RfbXRpbWU7CiAgIGhkci0+Y19maWxlc2l6ZSA9IHN0LT5zdF9zaXplOwogICBoZHIt PmNfY2hrc3VtID0gMDsK --------------000105070706050203070008--