[PATCH] autocache patche -- resend, updated
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Fri May 26 11:04:35 UTC 2006
Michael_E_Brown at dell.com (Michael E Brown) writes:
> Here is a resend/consolidation of the autocache patches from last week.
> I have combined the patches sent last week. It now defaults to gzip
> format. I have also made the following fixes:
> + check_dir_allowed (rootsdir, argv[2]);
When you do security checks, then please make them correctly. Everything
else will give a wrong feeling about security:
* a
| check_dir(<dir>);
| operate_in_dir(<dir>); // tar ...
opens always a window for symlink attacks. Better do
| chdirSafe(<dir);
| operate_in_dir("."); // tar ...
The security of 'tar' operations is another question; extraction can
be made secure by extracting into a private dir and doing an atomic
rename(2) then. ATM, I do not see a way how to implement tarball
creation securely.
* you should check permissions of the tar-file; else, user can provide
e.g. a public writable /dev/kmem device in the tarball
Ok, the question remains whether such checks (inclusive check_dir_allowed())
are needed overall. 'mock' gives practically root rights to everybody in the
mock.
Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-buildsys-list/attachments/20060526/ae581219/attachment.sig>
More information about the Fedora-buildsys-list
mailing list