From owner-freebsd-security Tue Oct 1 16:50:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9054337B401 for ; Tue, 1 Oct 2002 16:50:17 -0700 (PDT) Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E1C343E75 for ; Tue, 1 Oct 2002 16:50:17 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g91NoEs92505; Tue, 1 Oct 2002 16:50:14 -0700 (PDT) (envelope-from jan@caustic.org) Date: Tue, 1 Oct 2002 16:50:14 -0700 (PDT) From: "f.johan.beisser" To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) In-Reply-To: <4.3.2.7.2.20021001173317.034cfe10@localhost> Message-ID: <20021001164903.H67581-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Oct 2002, Brett Glass wrote: > I was using the ~ notation as a shorthand. The point is that if you can > get at a user's .forward file, that's sufficient to run code as him/her. > There are lots of other clever ways, too; that's just the first > example that came to mind. ah, sorry. i've been working on scripts today. i'm in a little bit of a literallist mindset. > Rather than give someone the opportunity to find a clever exploit, I think > we'd best just close the hole. ;-) well, agreed. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message