[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: what's up with security?



** On May 25, Gergely Madarasz scribbled:
> On Thu, 25 May 2000, Marek Habersack wrote:
> 
> > Also mailman has a problem with symlinks when running on a kernel with the
> > Solar Designer's openwall security patch. Namely, mailman creates temporary
> > files when moving them around using hardlinks. In general, it does the
> > hardlinks in the same directory where the file sits and if the directory
> > has the t bit set, openwall patch forbids mailman to create the hardlink.
> > Same goes when /tmp is used for hardlinking. It's a totally flawed way of
> > moving files around, but inspite a discussion on that topic somewhere last
> > year, nobody changed it - for me, personally, mailman became unusable.
> 
> Wrong. Mailman never touches anything in +t directories. Openwall (and
I don't know (or want to know) Python well enough to examine the Mailman
sources carefully, what I know is that I get an error message on console
every time anyone posts anything that gets processed by Mailman and the
_only_ +t directories Mailman has access to are /tmp, /var/tmp...

> Solar Designer's patch) restricts hardlinks in any directory, so one
From the OW README:

 Restricted links in /tmp
--------------------------

I've also added a link-in-+t restriction, originally for Linux 2.0 only,
                  ^^^^^^^^^^^
by Andrew Tridgell.  I've updated it to prevent from using a hard link in
an attack instead, by not allowing regular users to create hard links to
files they don't own.  This is usually the desired behavior anyway, since
           ^^^^^^^^^
otherwise users couldn't remove such links they've just created in a +t
directory, and because of disk quotas.


> can't _HARD_link to an already existing file if it's owned by someone
that's what I said, hardlink.

> else even if one has write access to it. This is a flaw in mailmans
> design, it uses group permissions to handle stuff (and uses the web user,
> mail user, and the local mailman/list user for different tasks).
Exactly. That was the reason Mailman stopped working for me and I had to
ditch it, although I wasn't happy about that. And a flaw in design is a bug
no matter from what direction one looks at it. 

marek

Attachment: pgpKje9iyFmel.pgp
Description: PGP signature


Reply to: