Subject: Re: proposed change to ruserok()
To: None <>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-userlevel
Date: 12/12/2001 14:50:29
> * home directory cannot be writable by other (group too??)

I'm not sure about this.  The account is already wide open to anyone
who can write its homedir; I don't see .rhosts as being a big deal.  As
it stands, the message is wrong, too; the message says "other than
owner" but you check only IWOTH, not IWOTH|IWGRP.

> * checks to see if the file changes between lstat & fopen with more
>   vigour

Vide infra.

> * check that .rhosts is a regular file before opening it

You can narrow but not close this window.  Still, since it appears
inevitable (until/unless we get an O_REGONLY flag to open(2)), at least
we can make it as small as feasible.

> The reason for lstat() and preventing .rhosts from being a symbolic
> link isn't clear given that fstat() is used.  If someone else is
> willing to stake their life on stat() being safe and not introducing
> a security hole, it could be used instead of lstat().

Life?  I think that's being overdramatic.

I still[%] don't see any need to do that stat at all.  Given that you
do the open as the user, and that you fstat the fd afterwards (to check
its owner), I can't see anything that preventing symlinks buys you.
Can anyone point out something I'm missing?  (My guess is, the lstat's
presence is a holdover from versions that didn't switch IDs to do the
open, and in that case, the lstat is semi-necessary - though there are
some holes it only shrinks, not closes.)

[%] "still" because I was one of the people involved in the icb
    discussion on this issue.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B