Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 13 Jun 2017 18:35:45 +0200
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com, Fiedler Roman <Roman.Fiedler@....ac.at>
Subject: Re: Vixie/ISC Cron group crontab to root escalation

On 06/13/2017 02:32 PM, Fiedler Roman wrote:
> Well, partially: what O_PATH can do, you could also do before O_PATH using 
> repeated single-level open(NO_FOLLOW)/fstat-checks. So you had to do all the 
> verification by yourself.

That's not completely accurate because open/close on device nodes can
have side effects (the classic example is a rewinding tape device).
O_PATH gives you an opportunity to perform these policy checks before
the side effect happens.

Florian

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.