lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV Re: ...vulnerability in Lynx...

From: Jonathan Sergent
Subject: Re: LYNX-DEV Re: ...vulnerability in Lynx...
Date: Fri, 09 May 1997 19:15:25 -0500 
In message <address@hidden>, Scott McGee (Personal) writes:
 ] Does this problem you mention where you can create symlinks to a subdir just
 ] before Lynx opens it, and thus use Lynx to help gain control of a system
 ] exist soley for Lynx, or is it a general system problem that makes the system
 ] vulnerable using other programs on the system that create files in /tmp?
 ] 
 ] (If it is a system problem, I would be intrested in why you might think
 ] Lynx should attempt to address it. Private email preferred on this latter
 ] question, though you can hit the list and CC me if you wish.)

It does not exist solely for lynx.  Other programs have been known to
allow unauthorized access via the same mechanism. 

Apparently enough people care about it that several programs (i.e. 
elm, pine) which create files in /tmp have been changed because of 
this.  It's much easier to change all of your applications than it 
is to reinvent Unix to have different semantics with regards to 
symbolic links.

In my opinion:

We want lynx to work as well (this includes "in a relatively secure
fashion") in as many environments as possible.  "We" do this by 
creating our temporary files with something like mkstemp.

Until "we" do that, people should set LYNX_TEMP_SPACE to $HOME if at
all possible, or be warned that they might be allowing others access
to their account.

Enough with this until there is code in place to fix it.


--jss.
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]