Subject: Re: Question about HOSTALIASES changes
To: None <email@example.com>
From: Kazushi (Jam) Marukawa <firstname.lastname@example.org>
Date: 08/14/2000 00:41:07
On Aug 14, 14:14, email@example.com wrote:
> Subject: Re: Question about HOSTALIASES changes
> >Original comment said this should check read permission of
> >HOSTALIASES file. However, this change just avoids all of
> >them. Is checking file permission following original
> >comment not enough for security?
> this is due to security reason. suppose we set HOSTALIASES to
> something like /dev/foo, and invoke setuid'ed program.
> non-root user can can let tape to rewind, at least.
> revision 1.27 was insecure.
Yes. I agree with you. Therefore, I'm asking why don't you
check a read permission of the file pointed by HOSTALIASES
before open it like original comment said. Is there any
security problem with such implementation?
I think original comments should be left at least in order
to let us know how it should work if such implementation
doesn't have any security problem.