[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: flashplugin-nonfree get-upstream-version.pl security concern

On 13/12/2012 20:52, Jordon Bedwell wrote:

On Thu, Dec 13, 2012 at 1:47 PM, Davide Prina  wrote:



su -c USER1 "script.sh" ... (downloading the file [with ugo+r] in
/tmp/RANDOMDIR [with ugo+x] only once).


Why does the group and other need access again?


for letting other users read the file without download it again


Even if it's read only
you are still introducing fatal security problem indirectly by
promoting the usage of global read.


# mkdir /tmp/RANDOMDIR
# chown -R USER1:USER1 /tmp/RANDOMDIR
# su -c USER1 "script.sh"
# chown -R USER2:USER2 /tmp/RANDOMDIR
# su -c USER2 "script.sh"
...

Ciao
Davide

--
Dizionari: http://linguistico.sourceforge.net/wiki
I lati oscuri del secure boot:
https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/whitepaper-web
Petizione contro il secure boot:
https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/statement
GNU/Linux User: 302090: http://counter.li.org
Non autorizzo la memorizzazione del mio indirizzo su outlook
Reply to: