Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 13 Jun 2017 16:42:06 +0000
From: Fiedler Roman <Roman.Fiedler@....ac.at>
To: "fweimer@...hat.com" <fweimer@...hat.com>,
        "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Vixie/ISC Cron group crontab to root escalation

> Von: Florian Weimer [mailto:fweimer@...hat.com]
>
> On 06/13/2017 02:32 PM, Fiedler Roman wrote:
> > Well, partially: what O_PATH can do, you could also do before O_PATH
> using
> > repeated single-level open(NO_FOLLOW)/fstat-checks. So you had to do
> all the
> > verification by yourself.
>
> That's not completely accurate because open/close on device nodes can
> have side effects (the classic example is a rewinding tape device).
> O_PATH gives you an opportunity to perform these policy checks before
> the side effect happens.

So true, I know about this case. But my initial messages was not intended to 
compare subtle differences O_PATH with other OS file access functionality 
already available but - prove me wrong - to argue for extending open 
functionality in general using features O_PATH to my knowledge cannot provide. 
But all that content was removed in the first reply to the message.

LG Roman

[ CONTENT OF TYPE application/pkcs7-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ