[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev Re: who owns what

From: Philip Webb
Subject: Re: lynx-dev Re: who owns what
Date: Fri, 9 Oct 1998 20:10:57 -0400 (EDT)

[  pathto  result in another message ]

981009 Bela Lubkin wrote: 
> Philip Webb wrote:
>> how can the Enemy place a link in  ~/purslow ?  i own it.
>> maybe in  /tmp , if the link is to a file under  ~/purslow ,
>> but that's never going to be the case with  .lynxrc .
> Enemy can't; the problem is that Lynx is using the same function
> to check the safety of writing the .lynxrc as for writing a temp file.

but why ever would Lynx be programmed to use the same function to do both?
 /tmp  may be written by lots of people & could be dangerous,
but as i said,  .lynxrc  is always going to be in  $HOME ,
which is in any case otherwise identifiable to Lynx in several ways.
trying to remove an obscure security risk by screwing up  .lynxrc
is not at all impressive programming.

> Compounded by some weirdness of your system that makes the test fail
> even though the directories and links appear to be properly protected.

i've no evidence anything is weird: i'll go with our sysadmin;
it's merely a case the programmer dismissed because he never encountered it:
maybe his experience is rather limited.
> However, when you disable the checking code you are also disabling it
> for times when Lynx *is* trying to write to /tmp;
> you're opening yourself to the previously discussed problems.

so offer me something which works: I'm the only one so far to solve it.
>> so why did the problem arise explicitly for anonymous Enemies,
>> as is shown by the messages in the Archive i referred to yesterday?
> You referred to 2 months worth of messages, -- I didn't go looking.
> I'll follow a direct URL to a specific message.

that's exactly what i gave: number links, goto the Archive HTML version
& look at Sep [445 662 769] & Aug [11]: TD LP & Mike Castle are authors.
they explicitly refer to ANONYMOUS use as the problem.

>> nothing you've said above establishes there could be a problem
>> on an ordinarily well-managed UNIX site without anonymous users,
> There could be.  Even with a sticky /tmp directory, there are ways
> to attack, and the code you patched out attempts to avoid those.

so are you saying that UNIX is inherently unsafe?
ie you always have to check programs in detail
to ensure you aren't open to the kinds of attacks described on lynx-dev?
that sysadmins who know what they are doing still can't prevent it?
that anyone can set up a symlink to a file they don't own?
the last of these is the gist of the danger you describe
& i'm amazed if that is really the case:
surely someone would long ago have brought out a new version of UNIX
which is protected against it: there are lots of UNICES, after all.
>> which leaves me with the basic question unanswered:
>> should lynx-dev be going to such lengths to protect vs anonymous enemies?
> Please stop with the straw man.

not according to the lynx-dev messages i referred you to above.

> the enemies you're being slightly overprotected against are
> *anyone with shell access* on the machine on which you run Lynx.

i cannot believe that there is such a security weakness in UNIX
& that no-one has created a revised version of UNIX to avoid it:
you simply prohibit users making symlinks to files they don't own.

SUPPORT     ___________//___,  Philip Webb : address@hidden
ELECTRIC   /] [] [] [] [] []|  Centre for Urban & Community Studies
TRANSIT    `-O----------O---'  University of Toronto

reply via email to

[Prev in Thread] Current Thread [Next in Thread]