[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: [PATCH] Fix system() behaviour when parameter is NULL
>> Well...strictly speaking, it works, but opens up a classic
>> test-vs-use race if you then proceed to count on the result to mean
>> that it's safe to use the pathname you tested.
> I think this is what I said.
Mmm. I'd say more that it's an elaboration of what you said.
>> If system()'s caller is set-id, I'm not convinced it will give the
>> answer we want if the ruid and euid have different access rights on
> A different question entirely, and you may be right -- I was simply
> answer the question about whether access() is a security hole per se.
True; this was really returning to the patch that started it all,
rather than continuing down the subthread most of the message was.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse%rodents-montreal.org@localhost
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Main Index |
Thread Index |