Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 Aug 2005 15:54:07 +0200
From:      "Simon L. Nielsen" <simon@FreeBSD.org>
To:        Stefan Bethke <stb@lassitu.de>
Cc:        drvince@anonymnet.net, freebsd-current@FreeBSD.org
Subject:   Re: More into /etc/rc.d/jail
Message-ID:  <20050810135406.GD851@zaphod.nitro.dk>
In-Reply-To: <4204340F-B78E-4913-8B0A-563335266EA9@lassitu.de>
References:  <N1-uLBXxM-zn8@Safe-mail.net> <96153776-0BE4-456F-B573-042E84730DFE@lassitu.de> <20050809220809.GD928@zaphod.nitro.dk> <4204340F-B78E-4913-8B0A-563335266EA9@lassitu.de>
next in thread | previous in thread | raw e-mail | index | archive | help 

--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2005.08.10 00:21:17 +0200, Stefan Bethke wrote:
> Am 10.08.2005 um 00:08 schrieb Simon L. Nielsen:
>=20
> >On 2005.08.09 23:30:26 +0200, Stefan Bethke wrote:
> >
> >>    sed -e 's/#.*$//' <${mdconfig_conf} |grep -v '^[[:space:]]*$' =20
> >>>/tmp/mdconfig.$$
> >
> >Try searching the web for "temporary file symlink attack"... (hint:
> >creating temorary files like that is bad, use mktemp).
>=20
> Again, thanks for the hint.  This was meant as a starting point; it =20
> was hacked together as a stop-gap measure in twenty minutes. (And has =20
> persisted over six months now...)

I agree that it's unlikely to be actually exploited, but there might
be situations where it can be, which is why I wanted to point out the
problem.  Hacks have a tendency to stay around exactly like the six
month part of your paragraph, which is rather common, :-).

> I would be more than happy for someone else taking this script, =20
> polishing it, and getting it committed, so I don't have to rememeber =20
> not nuking it on the next mergemaster :-)

I will let the rc.d guru's ponder a bit out how this is done best :-).

--=20
Simon L. Nielsen

--GvXjxJ+pjyke8COw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFC+gb+h9pcDSc1mlERAuatAJ9RlVJQVQOZ1dM3cyvJnFyERiHhdACeNOe9
/wN9CrZ9tY+BlQvKNnL0e4c=
=6Sgg
-----END PGP SIGNATURE-----

--GvXjxJ+pjyke8COw--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050810135406.GD851>