This is the mail archive of the
cygwin-xfree@cygwin.com
mailing list for the Cygwin XFree86 project.
Re: Logfile symlink vulnerability
- From: Takuma Murakami <takuma at dgp dot ne dot jp>
- To: cygwin-xfree at cygwin dot com
- Date: Mon, 22 Mar 2004 17:26:11 +0900
- Subject: Re: Logfile symlink vulnerability
- References: <405E120C.1030200@msu.edu> <405E2A22.1020604@tromer.org>
- Reply-to: cygwin-xfree at cygwin dot com
Eran,
> It's really a classical Unix security pitfall that occurs whenever you
> write to files in world-writable directories. It has to be dealt with at
> the application level, either by being careful about existing files or
> by using atomically generated unique filenames.
Because the vulnerability is not unique to Cygwin/X as you
mentioned, it should be fixed in upper levels so that every
implementation of XFree86 can benefit. If some of those
(e.g. X server of Linux) have already fixed it we can borrow
it instead of a redundant reinvention.
However, I must say that I can't contribute to this point
because of lack of time. Could you look into other
implementations? It should be greatly appreciated.
Takuma Murakami