tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: realpath(3)

Le Thu, May 25, 2023 at 10:02:49AM -0400, Greg Troxel a écrit :
> writes:
> > This example, IMO, shows that using the same variable to hold
> > whether the canonical result to be used, or an error, that shall
> > NOT be used, relying on programmers to test correctly the return
> > status of a routine, is dangerous.
> So basically you do not like C and the Unix tradition.  I don't see how
> this is really different from the usual situation that it's easy to
> write bad code.

On the contrary, I like C and the Unix tradition. But security is
not expecting all things to be bullet proof, but that for a bullet
to go through, it has to pass several distinct holes, with an effort
to make any component with as few holes as possible---and evidently
not the holes aligned at the very same place in all the components.

The practice (just look of all the incarnations of mount in the NetBSD
sources) shows that expecting programmers to test the return status of
a routine is an optimistic view. What is contrary to C to split things
and make someone that does not test go right against the wall?
because precisely what should hold the correct value, if success, is
defined with a specially crafted incorrect value that ensures that he
will not go any further.

C is simplicity and Unix is simplicity and orthogonality. Overloading
does not fit...
        Thierry Laronde <tlaronde +AT+ polynum +dot+ com>
Key fingerprint = 0FF7 E906 FBAF FE95 FD89  250D 52B1 AE95 6006 F40C

Home | Main Index | Thread Index | Old Index