Re: Would this create a security problem?

To: debian-security@lists.debian.org
Subject: Re: Would this create a security problem?
From: Antti-Juhani Kaijanaho <ajk@debian.org>
Date: Fri, 2 Jan 2004 12:13:52 +0200
Message-id: <[🔎] 20040102101352.GJ3300@kukkaruukku.keltti.jyu.fi>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20040102100520.GA26187@dat.etsit.upm.es>
References: <[🔎] 20040101222610.GH3300@kukkaruukku.keltti.jyu.fi> <[🔎] 20040102100520.GA26187@dat.etsit.upm.es>

On 20040102T110521+0100, Javier Fernández-Sanguino Peña wrote:
> commands it might be worthwhile to check their permissions and ownership 
> before making use of them (i.e. ensuring they are not world-writable and 
> that they belong to the current runing user).

... or to root, obviously.

Yes, I was planning on doing that.

> It is very common, however, to use configuration files in a way that they 
> can modify the way code is executed. For example:

My concern is not that the file changes how the code works.  It already
does that.  My concern is that if I add that pipe feature, a
configuration file will be able to specify arbitrary shell commands to
be executed without the user noticing it.  My problem is, does this
create a security problem.

> http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/file-contents.html

Thanks for that link.

-- 
Antti-Juhani Kaijanaho, Debian developer   http://www.iki.fi/gaia/

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Would this create a security problem?
  - From: Antti-Juhani Kaijanaho <ajk@debian.org>
- Re: Would this create a security problem?
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: [Users] IPSec WinXP interop
Next by Date: unsubscribe
Previous by thread: Re: Would this create a security problem?
Next by thread: Re: Need recomendations for https proxy that serves as a firewall proxy
Index(es):
- Date
- Thread