Re: Some ostree observations



On 02/26/2014 10:36 PM, Colin Walters wrote:

It will still be vulnerable to attacks based on hard links. As a
result of your linking farms, I don't think you'll be able to defend
against those.

How about keeping all directories owned by root:root and mode 0700 until
they're fully populated, then doing the fchown/fchmod on the dirfd?

If you create all the directories from scratch, this is a good practice to follow anyway and would address this issue as well.

--
Florian Weimer / Red Hat Product Security Team


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]