Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 23 Dec 2009 12:17:13 -0800
From: Brandon Philips <>
To: Hanno Böck <>
Cc: OSS Security List <>
Subject: Re: CVE request: acl 2.2.47 always follows symlinks

On 11:50 Wed 23 Dec 2009, Hanno Böck wrote:
> setfacl/getfacl (part of package acl-2.2.47) contains a bug that it ignores
> the --physical/-P parameter that means don't follow symlinks on -R
> (recursive).
> This can lead to security problems, e.g. if there's a cron script giving a
> user full rwX rights for a directory, he can put a symlink there pointing to /
> or /etc or whatever.
> Another scenario would be a backup script saving the /home acls to a file,
> every user can create an endless loop for that and prevent the script from
> completing.
> Fixed in upstream source, but no new release yet.

Upstream for acl and attr has moved from SGI to community hosting at The latest release is here:

Mailing lists, git repos, and a bug system can be found here:



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ