Re: [PATCH] Fix system() behaviour when parameter is NULL

To: tech-userlevel%NetBSD.org@localhost
Subject: Re: [PATCH] Fix system() behaviour when parameter is NULL
From: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Thu, 28 Aug 2008 15:43:33 -0400 (EDT)

>> Well...strictly speaking, it works, but opens up a classic
>> test-vs-use race if you then proceed to count on the result to mean
>> that it's safe to use the pathname you tested.
> I think this is what I said.

Mmm.  I'd say more that it's an elaboration of what you said.

>> If system()'s caller is set-id, I'm not convinced it will give the
>> answer we want if the ruid and euid have different access rights on
>> _PATH_BSHELL.
> A different question entirely, and you may be right -- I was simply
> answer the question about whether access() is a security hole per se.

True; this was really returning to the patch that started it all,
rather than continuing down the subthread most of the message was.

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- [PATCH] Fix system() behaviour when parameter is NULL
  - From: Andy Shevchenko
- Re: [PATCH] Fix system() behaviour when parameter is NULL
  - From: mouss
- Re: [PATCH] Fix system() behaviour when parameter is NULL
  - From: Steven M. Bellovin
- Re: [PATCH] Fix system() behaviour when parameter is NULL
  - From: der Mouse
- Re: [PATCH] Fix system() behaviour when parameter is NULL
  - From: Steven M. Bellovin

Prev by Date: Re: [PATCH] Fix system() behaviour when parameter is NULL
Next by Date: Re: [PATCH] Fix system() behaviour when parameter is NULL
Previous by Thread: Re: [PATCH] Fix system() behaviour when parameter is NULL
Next by Thread: Re: [PATCH] Fix system() behaviour when parameter is NULL
Indexes:

Home | Main Index | Thread Index | Old Index