This is the mail archive of the cygwin-xfree@cygwin.com mailing list for the Cygwin XFree86 project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Logfile symlink vulnerability

From: Takuma Murakami <takuma at dgp dot ne dot jp>
To: cygwin-xfree at cygwin dot com
Date: Mon, 22 Mar 2004 17:26:11 +0900
Subject: Re: Logfile symlink vulnerability
References: <405E120C.1030200@msu.edu> <405E2A22.1020604@tromer.org>
Reply-to: cygwin-xfree at cygwin dot com

Eran,

> It's really a classical Unix security pitfall that occurs whenever you
> write to files in world-writable directories. It has to be dealt with at
> the application level, either by being careful about existing files or
> by using atomically generated unique filenames.

Because the vulnerability is not unique to Cygwin/X as you
mentioned, it should be fixed in upper levels so that every
implementation of XFree86 can benefit.  If some of those
(e.g. X server of Linux) have already fixed it we can borrow
it instead of a redundant reinvention.

However, I must say that I can't contribute to this point
because of lack of time.  Could you look into other
implementations?  It should be greatly appreciated.

Takuma Murakami

References:
- Re: Logfile symlink vulnerability
  - From: Harold L Hunt II
- Re: Logfile symlink vulnerability
  - From: Eran Tromer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]