Subject: Re: proposed change to ruserok()
To: None <tech-userlevel@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-userlevel
Date: 12/12/2001 14:50:29
> * home directory cannot be writable by other (group too??)
I'm not sure about this. The account is already wide open to anyone
who can write its homedir; I don't see .rhosts as being a big deal. As
it stands, the message is wrong, too; the message says "other than
owner" but you check only IWOTH, not IWOTH|IWGRP.
> * checks to see if the file changes between lstat & fopen with more
> vigour
Vide infra.
> * check that .rhosts is a regular file before opening it
You can narrow but not close this window. Still, since it appears
inevitable (until/unless we get an O_REGONLY flag to open(2)), at least
we can make it as small as feasible.
> The reason for lstat() and preventing .rhosts from being a symbolic
> link isn't clear given that fstat() is used. If someone else is
> willing to stake their life on stat() being safe and not introducing
> a security hole, it could be used instead of lstat().
Life? I think that's being overdramatic.
I still[%] don't see any need to do that stat at all. Given that you
do the open as the user, and that you fstat the fd afterwards (to check
its owner), I can't see anything that preventing symlinks buys you.
Can anyone point out something I'm missing? (My guess is, the lstat's
presence is a holdover from versions that didn't switch IDs to do the
open, and in that case, the lstat is semi-necessary - though there are
some holes it only shrinks, not closes.)
[%] "still" because I was one of the people involved in the icb
discussion on this issue.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B