Re: lynx-dev 2.8.1dev.19.patch.gz

[T.E.Dickey]

> A delayed ftruncate() doesn't prevent the case where an attacker has 
> made a hard link from one of your files to /tmp.  You can prevent that 
> by having /tmp a separately mounted filesystem, but some systems aren't 
> set up that way. 
I discarded the ftruncate last night, will probably have a dev.20 ready for
test tomorrow (I've yet to integrate the strsep fix, LP's changes and yet
another fix for socks5).  I incorporated your fixes, along with a new function
that checks that the given filename isn't either a hard link, or a soft link
(from a world-writable directory such as tmp).  We can refine that later to
take into account sticky bits (and whether the user should be allowed to
write files to his home directory if that is world-writable ;-).
  
> It is apparent to me that securing Lynx against /tmp races is going to 
I've moved most of the code for temp-files into single functions to make
this (I think) easier.  But my plan was not to do all of the aspects at
once (O_EXCL, sticky bits), but to work on each one in succession and
see what is missed (you've pointed out several items ;-.

> require a complete rewrite of all of its temp file routines.  I'm 
> committing to that project.  I'm also extremely busy with my job, moving 
> into a new house, etc.  So it might take a few weeks before I have it 
> ready to be integrated.  Bear with me. 
no problem - I'm patient.  I'm sure you'll see & think of aspects that I'm
not looking at.  I appreciate your efforts.
  
> >Bela< 
> 


-- 
Thomas E. Dickey
address@hidden
http://www.clark.net/pub/dickey