tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [PATCH] Fix system() behaviour when parameter is NULL

On Thu, Aug 28, 2008 at 08:46:38PM +0100, David Laight wrote:
 > On Thu, Aug 28, 2008 at 02:26:28PM -0400, Steven M. Bellovin wrote:
 > > Better wording of the warning might be something like
 > > 
 > >    Although access() checks the real uid's permissions, it should
 > >    never be used for access permission checks by setuid() programs.
 > Or maybe like:
 >      The file's permissions may change between the call to access(2)
                              ^ or identity
 >      and any subsequent action performed based on the result.
 >      It should never be used for security checks by setuid() programs.

and s/by setuid() programs//,

but with those provisos seems reasonable.

David A. Holland

Home | Main Index | Thread Index | Old Index