[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV Re: ...vulnerability in Lynx...
From: |
Jonathan Sergent |
Subject: |
Re: LYNX-DEV Re: ...vulnerability in Lynx... |
Date: |
Fri, 09 May 1997 19:15:25 -0500 |
In message <address@hidden>, Scott McGee (Personal) writes:
] Does this problem you mention where you can create symlinks to a subdir just
] before Lynx opens it, and thus use Lynx to help gain control of a system
] exist soley for Lynx, or is it a general system problem that makes the system
] vulnerable using other programs on the system that create files in /tmp?
]
] (If it is a system problem, I would be intrested in why you might think
] Lynx should attempt to address it. Private email preferred on this latter
] question, though you can hit the list and CC me if you wish.)
It does not exist solely for lynx. Other programs have been known to
allow unauthorized access via the same mechanism.
Apparently enough people care about it that several programs (i.e.
elm, pine) which create files in /tmp have been changed because of
this. It's much easier to change all of your applications than it
is to reinvent Unix to have different semantics with regards to
symbolic links.
In my opinion:
We want lynx to work as well (this includes "in a relatively secure
fashion") in as many environments as possible. "We" do this by
creating our temporary files with something like mkstemp.
Until "we" do that, people should set LYNX_TEMP_SPACE to $HOME if at
all possible, or be warned that they might be allowing others access
to their account.
Enough with this until there is code in place to fix it.
--jss.
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;
- Re: LYNX-DEV Re: ...vulnerability in Lynx..., (continued)
- Re: LYNX-DEV Re: ...vulnerability in Lynx..., Brian Tillman, x8425, 1997/05/09
- Re: LYNX-DEV Re: ...vulnerability in Lynx..., Scott McGee (Personal), 1997/05/09
- Re: LYNX-DEV Re: ...vulnerability in Lynx..., Scott McGee (Personal), 1997/05/09
- Re: LYNX-DEV Re: ...vulnerability in Lynx..., Scott McGee (Personal), 1997/05/09
- Re: LYNX-DEV Re: ...vulnerability in Lynx..., Scott McGee (Personal), 1997/05/09
- Re: LYNX-DEV Re: ...vulnerability in Lynx...,
Jonathan Sergent <=
- LYNX-DEV Re: ...vulnerability in Lynx - code, Klaus Weide, 1997/05/09
- Re: LYNX-DEV Re: ...vulnerability in Lynx - code, Jonathan Sergent, 1997/05/10
- LYNX-DEV Re: mkstemp source, Larry W. Virden, x2487, 1997/05/10
- Re: LYNX-DEV Re: mkstemp source, T.E.Dickey, 1997/05/10
- Re: LYNX-DEV Re: mkstemp source, Larry W. Virden, x2487, 1997/05/10
- Re: LYNX-DEV Re: mkstemp source, Jonathan Sergent, 1997/05/10
- Re: LYNX-DEV Re: mkstemp source, Larry W. Virden, x2487, 1997/05/10
Re: LYNX-DEV Re: ...vulnerability in Lynx..., Nelson Henry Eric, 1997/05/09