[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev 2.8.1dev.19.patch.gz
|
From: |
T.E.Dickey |
|
Subject: |
Re: lynx-dev 2.8.1dev.19.patch.gz |
|
Date: |
Fri, 31 Jul 1998 18:34:11 -0400 (EDT) |
> T.E.Dickey wrote:
>
> > 1998-07-31 (2.8.1dev.19)
>
> Briefly, for the impatient: dev.19 re-introduces serious /tmp security
> holes -- don't use it unless you are using per-user Lynx temp dirs.
no -- read below (perhaps I was too terse in my changelog entry, but the
information is there).
> > * add option -eat_all_cookies and corresponding config variable
> > EAT_ALL_COOKIES (Brian J Pardy <address@hidden>).
>
> I thought it was agreed that the word "eat" was too confusing. This
> should be "-accept_all_cookies", no?
I put that in before I came across the rest of the thread - but I don't
think there was actually a conclusion, but rather a proposal for a more
complicated thing.
> > * correct spurious 'Content' string versus newline after X-URL in LYMain.c
> > (Bela Lubkin and Larry Virden).
>
> LYMail.c
thanks.
> > * modify OpenHiddenFile so that it can overwrite files owned by the real
> > user if the O_EXCL open fails because the file already exists - TD
>
> This modification reintroduces temp file problems! Part of the point of
> opening with O_CREAT | O_EXCL is that this combination does not follow
> symbolic links. If you strictly use O_CREAT | O_EXCL (and other related
no - read the code -- I'm pretty sure it's ok. I check that it is owned
by the real user before deciding to reopen it. If you don't allow this,
you cannot overwrite a screen printfile. (As an afterthought, I should
add a line to verify that it's a file, not a directory).
> precautions, and are generally very careful), it is safe to use a public
> /tmp directory as long as the directory is "sticky" (doesn't allow users
> to delete other users' files).
>
> The new code takes that away again. I can create a symlink to one of
> your files. The first open(O_CREAT | O_EXCL) will fail with EEXIST, so
but you can't open it with lynx - since you don't own it. (even if lynx
were running setuid as root).
> you'll go into the new code and truncate the file.
>
> Suppose I know root's about to run Lynx. I can anticipate one of the
> temp filenames it's going to use, and do:
>
> ln -s /.rhosts /tmp/$ANTICIPATED_NAME
root isn't the real owner of the file (I just retested that it will not
be able to write the file)
--
Thomas E. Dickey
address@hidden
http://www.clark.net/pub/dickey
- Re: lynx-dev 2.8.1dev.19.patch.gz, (continued)
- Re: lynx-dev 2.8.1dev.19.patch.gz,
T.E.Dickey <=
- Re: lynx-dev 2.8.1dev.19.patch.gz, Bela Lubkin, 1998/08/03
- Re: lynx-dev 2.8.1dev.19.patch.gz, Bela Lubkin, 1998/08/04
- Re: lynx-dev 2.8.1dev.19.patch.gz, Bela Lubkin, 1998/08/04
- Re: lynx-dev 2.8.1dev.19.patch.gz, T.E.Dickey, 1998/08/04
- Re: lynx-dev 2.8.1dev.19.patch.gz, T.E.Dickey, 1998/08/04
- Re: lynx-dev 2.8.1dev.19.patch.gz, T.E.Dickey, 1998/08/04
- Re: lynx-dev 2.8.1dev.19.patch.gz, Bela Lubkin, 1998/08/04