|
From: | Michael Stone |
Subject: | Re: Bug#393283: RFC: change chown *not* to look up numeric user/group names |
Date: | Thu, 19 Oct 2006 09:53:28 -0400 |
User-agent: | Mutt/1.5.13 (2006-08-11) |
On Thu, Oct 19, 2006 at 11:29:23AM +0200, Jim Meyering wrote:
My motivation for making this change is mainly security. The paranoid user of chown (usually root) should not have to imagine that a numeric user name argument like "1000" might be interpreted as a name and mapped to "0". Can anyone present a case for *not* making this change?
I don't particularly care either way. I think that calling it a security concern is overstating it; if someone can create a user with uid 0 you've got bigger problems than whether they can use that ability to fool root. (Similarly if your root user simply doesn't understand the system they're working on.)
I guess it's a case of "numeric usernames are stupid" vs "will it break something". I don't see much reason *not* to be posix compliant in this case, though.
Mike Stone
[Prev in Thread] | Current Thread | [Next in Thread] |