SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-18-2008, 07:33 AM
| ||||
| ||||
 Don't let mg create backupfiles in world-writable dirs. Hi, The crontab -e fix I suggested was just symptom-treatment and therefore an inferior solution. But I was on the track of a problem. The problem comes down to the following: editors should not be allowed to create backupfiles in worldwritable directories since the backupfilename is very predictable. Here is a patch for mg which implements this idea. The comments also mention other problems so it should be used for consideration only. Index: fileio.c ================================================== ================= RCS file: /cvs/src/usr.bin/mg/fileio.c,v retrieving revision 1.43 diff -u -w -p -r1.43 fileio.c --- fileio.c 11 Jan 2005 17:19:16 -0000 1.43 +++ fileio.c 30 Jan 2005 10:20:25 -0000 @@ -153,14 +153,25 @@ ffgetline(char *buf, int nbuf, int *nbyt * with an open fd will get the backup, not the new file. This is * a problem when using mg with things like crontab and vipw. */ + +/* + * Which is an inferior solution to the problem, It's better to * + * refuse to make backupfiles in worldwritable-dirs + */ + +/* Another caveat: ewprintf notices are lost if return FALSE is + * used since they are overwritten at once. */ + int fbackupfile(const char *fn) { - struct stat sb; + struct stat sb, sd; int from, to, serrno; ssize_t nread; char buf[BUFSIZ]; char *nname; + char *wdir; + static char cwd[NFILEN]; if (stat(fn, &sb) == -1) { ewprintf("Can't stat %s : %s", fn, strerror(errno)); @@ -173,6 +184,24 @@ fbackupfile(const char *fn) return (ABORT); } + if ((wdir = getcwd(cwd, sizeof(cwd))) == NULL) { + ewprintf("Can't get current directory!"); + return (FALSE); + } + + if (stat(cwd, &sd) == -1) { + ewprintf("Can't stat %s : %s", cwd, strerror(errno)); + return (FALSE); + } + + /* We don't want to create backupfiles in world-writable + * directories, like /tmp, since the filename is predic- + * table */ + if (sd.st_mode & S_IWOTH ) { + ewprintf("I refuse to create backupfiles in worldwritable dir: %s", wdir); + return(FALSE); + } + if ((from = open(fn, O_RDONLY)) == -1) { free(nname); return (FALSE); # Han      |
 |
« hme(4) RX TCP/UDP checksum offload
|
Re: Don't let mg create backupfiles in world-writable dirs. »
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 09:45 PM.
