Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: difflog.pl and "security"
- X-seq: zsh-workers 24145
- From: Peter Stephenson <pws@xxxxxxx>
- To: zsh-workers@xxxxxxxxxx
- Subject: Re: difflog.pl and "security"
- Date: Mon, 3 Dec 2007 17:36:37 +0000
- In-reply-to: <071203083301.ZM4267@xxxxxxxxxxxxxxxxxxxxxx>
- Mailing-list: contact zsh-workers-help@xxxxxxxxxx; run by ezmlm
- Organization: CSR
- References: <20071202214005.GA6517@xxxxxxxxxxx> <071202174520.ZM3017@xxxxxxxxxxxxxxxxxxxxxx> <20071203104256.09dc9684@news01> <071203083301.ZM4267@xxxxxxxxxxxxxxxxxxxxxx>
On Mon, 03 Dec 2007 08:33:01 -0800
Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx> wrote:
> On Dec 3, 10:42am, Peter Stephenson wrote:
> }
> } Yes, I'm more worried about the implication that anything distributed
> } will be assumed to be robust for any usage. In the usage for which
> } difflog.pl is supplied, security is not an issue since you're diffing
> } two publicly available logs.
>
> If I understand the issue correctly, the problem is not what's in the
> log files, but what's in /tmp.
>
> E.g., if a local attacker can guess when difflog.pl is being run and
> what its process ID is, he can create symlinks in /tmp that point
> from the files difflog is about to create, to any files owned by the
> person running difflog, and cause the target files to be clobbered.
Yes, you're right. However, the other remark stands... should I commit
the change I suggested? (There's obviously no harm in the documentation
update.)
--
Peter Stephenson <pws@xxxxxxx> Software Engineer
CSR PLC, Churchill House, Cambridge Business Park, Cowley Road
Cambridge, CB4 0WZ, UK Tel: +44 (0)1223 692070
Messages sorted by:
Reverse Date,
Date,
Thread,
Author