| 1 |
On 01/10/2018 05:18 PM, James Le Cuirot wrote: |
| 2 |
> |
| 3 |
> The init script used to call chown/chmod -R, which is |
| 4 |
> obviously bad. I've compromised by only calling these on the |
| 5 |
> directories themselves (ignoring symlinks). I believe this is safe |
| 6 |
> because it's not possible to create hard linked directories these days? |
| 7 |
> Would you agree? |
| 8 |
|
| 9 |
Are you still using chown and chmod? If so, you should switch to |
| 10 |
checkpath -- chown and chmod don't even try to avoid hard links. I would |
| 11 |
be surprised to see a "chown" or "chmod" in an init script that can't be |
| 12 |
replaced by something better. |
| 13 |
|
| 14 |
The race condition that we're talking about here is trying to squeeze |
| 15 |
the last 1% of security out of checkpath; it's already much safer than |
| 16 |
chown/chmod. |
| 17 |
|
| 18 |
For example, if your script is calling chown and chmod on two |
| 19 |
directories /foo and /foo/bar, then whoever owns /foo can kill /foo/bar |
| 20 |
entirely and replace it with a hard link to /etc/passwd. When the |
| 21 |
service restarts, chown and chmod won't care that you think /foo/bar |
| 22 |
should be a directory instead. |
Archives