On Aug 14, 14:14, itojun@iijlab.net wrote:
   > Subject: Re: Question about HOSTALIASES changes
   > >Original comment said this should check read permission of
   > >HOSTALIASES file.  However, this change just avoids all of
   > >them.  Is checking file permission following original
   > >comment not enough for security?
   > 
   > 	this is due to security reason.  suppose we set HOSTALIASES to
   > 	something like /dev/foo, and invoke setuid'ed program.
   > 	non-root user can can let tape to rewind, at least.
   > 	revision 1.27 was insecure.

Yes.  I agree with you.  Therefore, I'm asking why don't you
check a read permission of the file pointed by HOSTALIASES
before open it like original comment said.  Is there any
security problem with such implementation?

I think original comments should be left at least in order
to let us know how it should work if such implementation
doesn't have any security problem.

Regards,
-- Kazushi