[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Checking executability for asynchronous commands

From: Eli Schwartz
Subject: Re: Checking executability for asynchronous commands
Date: Tue, 29 Dec 2020 14:15:52 -0500

On 12/29/20 10:28 AM, Chet Ramey wrote:
On 12/28/20 5:30 PM, Eli Schwartz wrote:

(Though I have to wonder at these amazing AWOL commands that get uninstalled on people all the time right in the middle of their scripts.

It's a potential security concern, though that class of vulnerabilities
mostly involves executables being changed between testing and execution.

Right, the race condition / security concern is specifically based on the idea that one is checking for permission / authority to run a program, possibly as setuid, and it gets replaced by something malicious before being used.

If you were going to blindly run the program either way, then having it be *uninstalled* (i.e. does not exist, period) is... probably not going to result in security concerns. It will just fail to run. And it would do so even without the race condition.

By all means, let people be concerned about their commands being replaced by attack code. Not about them being rm'ed.

Eli Schwartz
Arch Linux Bug Wrangler and Trusted User

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]