Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: difflog.pl and "security"



On Mon, 03 Dec 2007 08:33:01 -0800
Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx> wrote:
> On Dec 3, 10:42am, Peter Stephenson wrote:
> }
> } Yes, I'm more worried about the implication that anything distributed
> } will be assumed to be robust for any usage. In the usage for which
> } difflog.pl is supplied, security is not an issue since you're diffing
> } two publicly available logs.
> 
> If I understand the issue correctly, the problem is not what's in the
> log files, but what's in /tmp.
> 
> E.g., if a local attacker can guess when difflog.pl is being run and
> what its process ID is, he can create symlinks in /tmp that point
> from the files difflog is about to create, to any files owned by the
> person running difflog, and cause the target files to be clobbered.

Yes, you're right.  However, the other remark stands...  should I commit
the change I suggested?  (There's obviously no harm in the documentation
update.)

-- 
Peter Stephenson <pws@xxxxxxx>                  Software Engineer
CSR PLC, Churchill House, Cambridge Business Park, Cowley Road
Cambridge, CB4 0WZ, UK                          Tel: +44 (0)1223 692070



Messages sorted by: Reverse Date, Date, Thread, Author