Subject: Re: Addition to force open to open only regular files
To: NetBSD Kernel Technical Discussion List <tech-kern@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-kern
Date: 11/20/2000 17:24:23
[ On Monday, November 20, 2000 at 12:14:38 (-0800), Greywolf wrote: ]
> Subject: Re: Addition to force open to open only regular files
>
> Excuse me. He *did* show you ACCESS.
Well excuse me too, but ACCESS in this context means reading and/or
writing of the *contents* of a file -- i.e. the protected data itself,
not its *attributes*. Yes, I know it's touchy to use security-style
terms when speaking in a Unix filesystem context, but....
Furthermore, as we all know, the timestamp attributes of a file can be
(and except for some applications like CVS, always are) safely examined
and compared *without* the use of $TZ.
Note also that CVS in particular explicitly does not support being
executed as a set-ID program *and* it even rejects being run as root.
> # Sure if some idiot writes a shell script that trys to interpret the
> # timestamps as modified by TZ then they'll get in trouble. But that
> # would be a really idiotic thing to do now, wouldn't it.
>
> If they had something that could read a protected file via TZ,
> that might not be so idiotic.
About the only way $TZ could be used to read a protected file would be
if there's either a bug in the timezone libraries, or if there's a way
that either /etc/localtime or the directories and files it should point
to can be compromised.
(Unlike $HOSTALIASES which explicitly allows the user to specify any
filename to be opened and read as a list of host aliases, and then
closed thus making it trivial to compromise the contents of a tape by
causing a spurious rewind at the wrong time and also potentially making
it possible to reveal the contents of any file accessible by the
effective-ID of a set-ID program.)
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>