Date: Fri, 18 Jun 2010 06:53:03 +1000 From: Peter Jeremy <peterjeremy@acm.org> To: d@delphij.net Cc: "delphij@freebsd.org" <delphij@FreeBSD.ORG>, "freebsd-stable@freebsd.org" <freebsd-stable@FreeBSD.ORG> Subject: Re: [Stable 7] CPIO breakage/ Message-ID: <20100617205302.GA60347@server.vk2pj.dyndns.org> In-Reply-To: <4C18195A.3020501@delphij.net> References: <1276639800.2462.80.camel@localhost.localdomain> <1276646707.2462.82.camel@localhost.localdomain> <4C18195A.3020501@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2010-Jun-15 17:22:50 -0700, Xin LI <delphij@delphij.net> wrote: >On 2010/06/15 17:05, Sean Bruno wrote: >> A little more background. It looks like symlinks are getting stripped >> of their '/' which sucks. Ideas? =2E.. >> e.g. /home/foo/bar -> /opt/baz/blob >>=20 >> becomes >>=20 >> home/foo/bar -> opt/baz/blob =20 >>=20 >> Yuck. > >This is a security measurement I think. Can someone please explain how stripping a leading '/' off the destination of a symlink enhances security? The destination is not being written to. >--absolute-filenames disables this behavior. This definitely reduces security and would seem to be far more dangerous than being able to create symlinks to absolute pathnames. --=20 Peter Jeremy --sm4nu43k4a2Rpi4c Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkwaiy4ACgkQ/opHv/APuIdJeQCeIQvyufTisOHk5AUXvHmDqIrw 874AnA1tNUaHS6fnyOdHz/vhbZn/NKHR =gzO3 -----END PGP SIGNATURE----- --sm4nu43k4a2Rpi4c--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100617205302.GA60347>