Subject: Re: Question about HOSTALIASES changes
To: Kazushi Marukawa (Jam) <email@example.com>
From: None <firstname.lastname@example.org>
Date: 08/14/2000 14:46:30
> > this is due to security reason. suppose we set HOSTALIASES to
> > something like /dev/foo, and invoke setuid'ed program.
> > non-root user can can let tape to rewind, at least.
> > revision 1.27 was insecure.
>Yes. I agree with you. Therefore, I'm asking why don't you
>check a read permission of the file pointed by HOSTALIASES
>before open it like original comment said. Is there any
>security problem with such implementation?
when the change was committed, there were some discussions
(I forgot where was it). basically, HOSTALIASES would work with
setuid'ed program, if the following checks were made:
- check if uid of the file == real uid
- check if the permission is strict enough (like 0600)
- make sure that the file is not special file
the discussion concluded that those checks can cover very little
cases only, and could be too messy compared to the benefit it would
buy. so 1.28 picked the simple (and probably more pedantic) way.
>I think original comments should be left at least in order
>to let us know how it should work if such implementation
>doesn't have any security problem.
i don't disagree but we can't write everything down into the source.