[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TOCTTOU race
From: |
Maxime Devos |
Subject: |
Re: TOCTTOU race |
Date: |
Mon, 22 Feb 2021 20:13:05 +0100 |
User-agent: |
Evolution 3.34.2 |
Hi,
On Mon, 2021-02-22 at 09:54 +0100, Ludovic Courtès wrote:
> [...]
> > Subject: [PATCH] services: prevent following symlinks during activation
> ^
> Nitpick: we usually capitalize here and in the commit log.
Fixed! Also added a period at the end.
> Perhaps add a couple of lines explaining that this fixes a potential
> security issue, with a link to this thread.
Done. But since ....
> > Currently, there's a TOCTTOU race. This can be addressed
> > once guile has bindings for fstatat, openat and friends.
... I only claim it's a partial fix at best in the commit message.
> I’d move that comment next to the ‘mkdir-p/perms’ definition.
I copied it there, but left it (reworded slightly) in the commit
message, to avoid giving a false impression the potential security issue
is really fixed.
> > * guix/build/service-utils.scm: new module
> > with new procedure 'mkdir-p/perms'.
>
> I think you can remove these lines.
I removed the ‘Makefile.am’ and ‘guix/build/service-utils.scm’
lines which aren't relevant anymore, but kept the other lines.
Is all addressed now? (Aside from the TOCTTOU.)
Maxime.
0001-services-Prevent-following-symlinks-during-activatio.patch
Description: Text Data
signature.asc
Description: This is a digitally signed message part
- Re: Potential security weakness in Guix services, (continued)
- Re: Potential security weakness in Guix services, Ludovic Courtès, 2021/02/06
- TOCTTOU race (was: Potential security weakness in Guix services), Maxime Devos, 2021/02/14
- Re: TOCTTOU race (was: Potential security weakness in Guix services), Bengt Richter, 2021/02/14
- Re: TOCTTOU race, Ludovic Courtès, 2021/02/18
- Re: TOCTTOU race, Maxime Devos, 2021/02/19
- Re: TOCTTOU race, Ludovic Courtès, 2021/02/22
- Re: TOCTTOU race,
Maxime Devos <=
- Re: TOCTTOU race, Ludovic Courtès, 2021/02/23
- Re: TOCTTOU race, Maxime Devos, 2021/02/27
- Re: Potential security weakness in Guix services, Christopher Lemmer Webber, 2021/02/10