Re: what's up with security?
On Thu, 25 May 2000, Marek Habersack wrote:
> Also mailman has a problem with symlinks when running on a kernel with the
> Solar Designer's openwall security patch. Namely, mailman creates temporary
> files when moving them around using hardlinks. In general, it does the
> hardlinks in the same directory where the file sits and if the directory
> has the t bit set, openwall patch forbids mailman to create the hardlink.
> Same goes when /tmp is used for hardlinking. It's a totally flawed way of
> moving files around, but inspite a discussion on that topic somewhere last
> year, nobody changed it - for me, personally, mailman became unusable.
Wrong. Mailman never touches anything in +t directories. Openwall (and
Solar Designer's patch) restricts hardlinks in any directory, so one
can't _HARD_link to an already existing file if it's owned by someone
else even if one has write access to it. This is a flaw in mailmans
design, it uses group permissions to handle stuff (and uses the web user,
mail user, and the local mailman/list user for different tasks).
--
Madarasz Gergely gorgo@sztaki.hu gorgo@linux.rulez.org
It's practically impossible to look at a penguin and feel angry.
Egy pingvinre gyakorlatilag lehetetlen haragosan nezni.
HuLUG: http://mlf.linux.rulez.org/
Reply to: