Date: Fri, 18 Jun 2010 11:22:41 -0700 From: Xin LI <delphij@delphij.net> To: Sean Bruno <seanbru@yahoo-inc.com> Cc: "delphij@freebsd.org" <delphij@freebsd.org>, "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org>, "d@delphij.net" <d@delphij.net>, Peter Jeremy <peterjeremy@acm.org> Subject: Re: [Stable 7] CPIO breakage/ Message-ID: <4C1BB971.4030501@delphij.net> In-Reply-To: <1276883483.2518.27.camel@localhost.localdomain> References: <1276639800.2462.80.camel@localhost.localdomain> <1276646707.2462.82.camel@localhost.localdomain> <4C18195A.3020501@delphij.net> <20100617205302.GA60347@server.vk2pj.dyndns.org> <4C1A9DEE.8040203@delphij.net> <1276883483.2518.27.camel@localhost.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2010/06/18 10:51, Sean Bruno wrote: > On Thu, 2010-06-17 at 15:13 -0700, Xin LI wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> On 2010/06/17 13:53, Peter Jeremy wrote: >>> On 2010-Jun-15 17:22:50 -0700, Xin LI <delphij@delphij.net> wrote: >>>> On 2010/06/15 17:05, Sean Bruno wrote: >>>>> A little more background. It looks like symlinks are getting stripped >>>>> of their '/' which sucks. Ideas? >>> ... >>>>> e.g. /home/foo/bar -> /opt/baz/blob >>>>> >>>>> becomes >>>>> >>>>> home/foo/bar -> opt/baz/blob >>>>> >>>>> Yuck. >>>> >>>> This is a security measurement I think. >>> >>> Can someone please explain how stripping a leading '/' off the >>> destination of a symlink enhances security? The destination is >>> not being written to. >>> >>>> --absolute-filenames disables this behavior. >>> >>> This definitely reduces security and would seem to be far more >>> dangerous than being able to create symlinks to absolute pathnames. >> >> Sorry I have misunderstood the original issue. It's the link target >> being mangled and doesn't seem right to me. I'll ask the author about this. >> >> The attached patch should restore the old behavior. >> >> Cheers, >> - -- >> Xin LI <delphij@delphij.net> http://www.delphij.net/ >> FreeBSD - The Power to Serve! Live free or die > > Yep, *this* patches seems to make things much happier. I'll integrate > cpio 2.8 back into the Yahoo tree when this is merged in. Thanks for testing, I have committed the patch as r209311 and sorry for the breakage. Cheers, - -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBCAAGBQJMG7lxAAoJEATO+BI/yjfBBhEIAJRbR1ZniY+JQ4Ak+He+FWKw jRXb/lTC1PfCDIi5Vm+j0NGAZP2hNBzt9k7uouDyguXcHKvPNXKFhjvaJtdDK40Y e2Pr2PNeXzwBGaL27eDPdjt2gxZ16GbzQe47d2jyT3nQRUYBGehJcLzJl7chrLZn 0PJmztmZt8Uc6oeQo427PzhgqcCFG5Edrc7dtiFZ1rvdaXGXd64mu30oArLV3MCA c//wgx+qK2wQ1AGeylZGOqbJmtgdxY3+g961a/G9c0Y/Bt+muWBY5xDK1LpA7IcN /s8l39g6TMzjp4YYlRUG5flhv3xtFACZxxAnkDYA+02cR2euNpt1irjdxj7jwvI= =V3yO -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C1BB971.4030501>