[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV Re: ...vulnerability in Lynx...
From: |
Jonathan Sergent |
Subject: |
Re: LYNX-DEV Re: ...vulnerability in Lynx... |
Date: |
Thu, 08 May 1997 09:09:08 -0500 |
] On Thu, 8 May 1997, Alan Cox wrote:
]
] > And if we don't your ISP if they have a clue will delete it entirely for
] > good. At least if we fix the default you can choose to be personally
] > insecure by changing the tmp dir via the environment variables..
]
] If we change the default to be an unpredictable name, would this
] be a low enough risk?
I think the idea is to eliminate the risk; if there is one, somebody
will without a doubt figure out how to take advantage of it.
There's nothing wrong with putting a directory in LYNX_TEMP_SPACE that
you know to be O.K. (i.e. if / is mode 755, /tmp has the sticky bit set,
and you have a mode 0700 directory inside it).
As far as quota goes, other browsers are notorious for making people
go over quota because they don't notice the files building up in a
"hidden" dot directory. It would make sense to include an error message
about changing $LYNX_TEMP_SPACE to point to somewhere with more space
when Lynx can't write to it despite the permissions.
I see no problem with using $HOME for the default temp space, since
Lynx cleans them up at exit unless it crashes abnormally (in which
the files are distinctively named and the user will be able to delete
them--unlike the "hidden" caches from other browsers).
Doing that only requires a change in userdefs.h. I think it makes
the most sense to change said default, and add a comment warning
people not to set the default to /tmp.
As Alan made clear, "we" need to come to a consensus as to the best
way to fix this, and issue a release (preferably called 2-7-2, so
as to encourage people to install it, and to make it differentiable
to people) before CERT does.
$0.02.
--jss.
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;
- Re: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)], (continued)
- RE: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)], Brian Tillman, x8425, 1997/05/07
- Re: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)], Scott McGee (Personal), 1997/05/07
- Re: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)], Larry W. Virden, x2487, 1997/05/07
- LYNX-DEV Re: ...vulnerability in Lynx..., Klaus Weide, 1997/05/07
- Re: LYNX-DEV Re: ...vulnerability in Lynx..., Alan Cox, 1997/05/08
- Re: LYNX-DEV Re: ...vulnerability in Lynx..., Jim Spath (Webmaster Jim), 1997/05/08
- Re: LYNX-DEV Re: ...vulnerability in Lynx..., Alan Cox, 1997/05/08
- Re: LYNX-DEV Re: ...vulnerability in Lynx..., Jim Spath (Webmaster Jim), 1997/05/08
- Re: LYNX-DEV Re: ...vulnerability in Lynx...,
Jonathan Sergent <=
- Re: LYNX-DEV Re: ...vulnerability in Lynx..., Alan Cox, 1997/05/08
- Re: LYNX-DEV Re: ...vulnerability in Lynx..., Matthew Kelly, 1997/05/08
- Re: LYNX-DEV Re: ...vulnerability in Lynx..., Larry W. Virden, x2487, 1997/05/08
Re: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)], Foteos Macrides, 1997/05/07
Re: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)], Brian Tillman, x8425, 1997/05/08
Re: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)], Scott McGee (Personal), 1997/05/08