[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: first draft of "relocatable" module
From: |
Ralf Wildenhues |
Subject: |
Re: first draft of "relocatable" module |
Date: |
Fri, 2 Mar 2007 08:57:23 +0100 |
User-agent: |
Mutt/1.5.14 (2007-02-28) |
Hello Bruno,
* Bruno Haible wrote on Fri, Mar 02, 2007 at 02:30:07AM CET:
> Ralf Wildenhues wrote:
>
> > > for example, --prefix=/tmp/inst$$.
> >
> > This bit doesn't. Since /tmp is usually world-writable, you've got your
> > attack vector already.
>
> /tmp is world-writable but a directory created by a user in /tmp is not
> world-writable (assuming an umask of at least 002). Therefore I don't see
> a security problem here.
On several systems that I know, /tmp is cleaned at system startup, or
old files are removed at regular intervals. So after you've installed
your stuff, at some point /tmp/inst$$ is removed again (possibly even by
you). At that time, I can write to /tmp/inst$$. I can usually even
look at your binaries (in the final location) first to find out about
the value of $$ that was used by you at 'make install' time.
That's a trivial attack on the systems where run path overrides the
shared library path variable.
Cheers,
Ralf
- Re: first draft of "relocatable" module, Ben Pfaff, 2007/03/01
- Re: first draft of "relocatable" module, Bruno Haible, 2007/03/01
- Re: first draft of "relocatable" module, Ben Pfaff, 2007/03/02
- Re: first draft of "relocatable" module,
Ralf Wildenhues <=
- Re: first draft of "relocatable" module, Bruno Haible, 2007/03/04
- Re: first draft of "relocatable" module, Ben Pfaff, 2007/03/04
- Re: first draft of "relocatable" module, Ralf Wildenhues, 2007/03/05
- Re: first draft of "relocatable" module, Ben Pfaff, 2007/03/05
- Re: first draft of "relocatable" module, Ben Pfaff, 2007/03/05
- Re: first draft of "relocatable" module, Ben Pfaff, 2007/03/18
- Re: first draft of "relocatable" module, Daniel Jacobowitz, 2007/03/05
Re: first draft of "relocatable" module, Matthew Woehlke, 2007/03/02
Re: first draft of "relocatable" module, Bruno Haible, 2007/03/01