Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[tcpcrypt-dev] [PATCH] avoid symlink attacks in launch_tcpcryptd.sh

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jul 23 09:40:15 PDT 2014


On 07/23/2014 11:50 AM, Andrea Bittau wrote:
> yeah it only seems to be used by the test script so it might not be
> the end of the world.
> 
> i'm concerned with /run/ because i'm not sure how multiplatform it is.
> E.g., mac doesn't seem to have it.

hm, maybe check if /run exists, and use it where it does exist;
otherwise, maybe use ~root ?

It is bad form to use a world-writable directory with a predictable
filename (this would probably get a CVE if it was released this way).

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.stanford.edu/pipermail/tcpcrypt-dev/attachments/20140723/6109b811/attachment.asc>


More information about the tcpcrypt-dev mailing list