[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev Re: who owns what
From: |
dickey |
Subject: |
Re: lynx-dev Re: who owns what |
Date: |
Sun, 11 Oct 1998 07:03:09 -0400 (EDT) |
> Tom's code checks not only the actual file being written, but also the
> directory path it lives in. That's because even if you own it, it can't
> be trusted if it lives in an untrustable directory -- or if any of its
> parents, up to the root directory, can't be trusted. Now, aside from
> the problem it caused you, this is also problematic because it adds many
> more opportunities for race conditions. So I think a different solution
> is needed. But that will be addressed later.
no problem (2.8.2)
> Meanwhile, I do agree with the notion that if a file is in (or below)
> your home directory, Lynx should trust it. I say that because, if your
> home directory is untrustworthy (e.g. if it has permissions that allow
> anyone to write files into it), there are endless ways to attack you.
> Lynx can't help you. It's like locking the door of a car when the
> window is rolled down.
it's still the same problem - someone's asserted it's the $HOME, which may
not be reliable. it should be subject to the same checks as other files.
>
> >Bela<
--
Thomas E. Dickey
address@hidden
http://www.clark.net/pub/dickey
- Re: lynx-dev Re: who owns what, (continued)
- Re: lynx-dev Re: who owns what, David Combs, 1998/10/10
- Re: lynx-dev Re: who owns what, Bela Lubkin, 1998/10/11
- Re: lynx-dev Re: who owns what, Bela Lubkin, 1998/10/11
- Re: lynx-dev Re: who owns what,
dickey <=
- Re: lynx-dev Re: who owns what, dickey, 1998/10/11
- Re: lynx-dev Re: who owns what, Bela Lubkin, 1998/10/11