lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV Re: ...vulnerability in Lynx...

From: Klaus Weide
Subject: Re: LYNX-DEV Re: ...vulnerability in Lynx...
Date: Thu, 8 May 1997 22:29:10 -0500 (CDT) 
On Thu, 8 May 1997, Jonathan Sergent wrote:

> Perhaps a _better_ approach is a combination of the above two conditions.
> 
> Test each directory (temp_space and its parents, up to the filesystem root)
> for the following:
> 
>    Is the directory group-writeable or world-writeable?
>       If not, is the directory owned by the user or by uid 0?
>          If so, the directory is okay.
>          If not, the directory is bad.
> #if !defined(NO_STICKY_DIRECTORIES)
>       If it is writeable by others, is the sticky bit set?
>          If so, the directory is okay (2).
>          If not, the directory is bad.
> #endif
>    If the directory is bad, print an informational error message and exit.

You forgot to add a note for your "(2)", but here is one:

Okay for what?
If you mean "for creating another temporary subdir in this dir", then
probably you are right.
If you mean "for direct use as temp_space", then it is not okay, since the
sticky bit will not prevent writing to existing files owned by others
including symlinks, AFAIK.

  Klaus

;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]