1 |
On 01/10/2018 05:18 PM, James Le Cuirot wrote: |
2 |
> |
3 |
> The init script used to call chown/chmod -R, which is |
4 |
> obviously bad. I've compromised by only calling these on the |
5 |
> directories themselves (ignoring symlinks). I believe this is safe |
6 |
> because it's not possible to create hard linked directories these days? |
7 |
> Would you agree? |
8 |
|
9 |
Are you still using chown and chmod? If so, you should switch to |
10 |
checkpath -- chown and chmod don't even try to avoid hard links. I would |
11 |
be surprised to see a "chown" or "chmod" in an init script that can't be |
12 |
replaced by something better. |
13 |
|
14 |
The race condition that we're talking about here is trying to squeeze |
15 |
the last 1% of security out of checkpath; it's already much safer than |
16 |
chown/chmod. |
17 |
|
18 |
For example, if your script is calling chown and chmod on two |
19 |
directories /foo and /foo/bar, then whoever owns /foo can kill /foo/bar |
20 |
entirely and replace it with a hard link to /etc/passwd. When the |
21 |
service restarts, chown and chmod won't care that you think /foo/bar |
22 |
should be a directory instead. |