[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nano-devel] what is --nofollow good for?
From: |
Kamil Dudka |
Subject: |
Re: [Nano-devel] what is --nofollow good for? |
Date: |
Mon, 01 Feb 2016 16:37:57 +0100 |
User-agent: |
KMail/4.14.10 (Linux/4.3.3-303.fc23.x86_64; KDE/4.14.16; x86_64; ; ) |
On Monday 01 February 2016 09:30:50 address@hidden wrote:
> On 28 Jan 2016 16:18, Mike Frysinger wrote:
> > On 28 Jan 2016 19:54, Benno Schulenberg wrote:
> > > On Thu, Jan 28, 2016, at 17:47, Mike Frysinger wrote:
> > > > On 28 Jan 2016 10:01, Benno Schulenberg wrote:
> > > > > So this hasn't been working for at least twelve years.
> > > > > (And why should it? If they want the symlink gone, they
> > > > > can simply delete it beforehand. Why should nano do the
> > > > > work for them?)
> > > >
> > > > because when you try to edit files in dirs that others have access
> > > > to, you want to make sure a save operation does not get redirected
> > > > to a place you did not intend. simply saying "if there's a
> > > > symlink, you should delete it first" doesn't help.
> > >
> > > Okay. However, if the current code were working correctly,
> > > then there is a little time between the unlink of the symlink
> > > and the open(O_WRONLY | O_CREAT | O_TRUNC) of the file to be
> > > written. So there is a window for someone to quickly recreate
> > > the symlink. So --nofollow would give a false sense of security.
> >
> > i'm not suggesting nano works well currently ;). just providing
> > a real world example of where this functionality makes sense. if
> > you don't want to support it, then so be it.
> >
> > > Also, is there any other editor that has this feature: overwrite
> > > symlinks instead of following them?
> >
> > no idea
>
> This is just a short list
>
> Editor name Vulnerable Notes
> ne Y It's full name is nice editor
> nedit Y Yells, screams, but still is vulnerable
> libreoffice Y Warns that file has changed, but not how
> xemacs Y Warns that file has changed, but not how
> adie Y brings up save dialogue every time
>
> Sincerely, David
Vulnerable to what? The symlink attack?
nano defends this by printing the "File was modified since you opened it,
continue saving ?" prompt, does not it?
http://svn.savannah.gnu.org/viewvc/trunk/nano/src/files.c?root=nano&r1=4344&r2=4343
This used to be referred to as CVE-2010-1160:
https://access.redhat.com/security/cve/cve-2010-1160
Kamil