Date: Tue, 13 Jun 2017 16:42:06 +0000 From: Fiedler Roman <Roman.Fiedler@....ac.at> To: "fweimer@...hat.com" <fweimer@...hat.com>, "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Re: Vixie/ISC Cron group crontab to root escalation > Von: Florian Weimer [mailto:fweimer@...hat.com] > > On 06/13/2017 02:32 PM, Fiedler Roman wrote: > > Well, partially: what O_PATH can do, you could also do before O_PATH > using > > repeated single-level open(NO_FOLLOW)/fstat-checks. So you had to do > all the > > verification by yourself. > > That's not completely accurate because open/close on device nodes can > have side effects (the classic example is a rewinding tape device). > O_PATH gives you an opportunity to perform these policy checks before > the side effect happens. So true, I know about this case. But my initial messages was not intended to compare subtle differences O_PATH with other OS file access functionality already available but - prove me wrong - to argue for extending open functionality in general using features O_PATH to my knowledge cannot provide. But all that content was removed in the first reply to the message. LG Roman [ CONTENT OF TYPE application/pkcs7-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ