diff options
author | William Hubbs <w.d.hubbs@gmail.com> | 2020-11-20 09:15:59 -0600 |
---|---|---|
committer | William Hubbs <w.d.hubbs@gmail.com> | 2020-11-20 09:15:59 -0600 |
commit | b6fef599bf8493480664b766040fa9b0d4b1e335 (patch) | |
tree | 25d19243ee73dfd5cc6e36572b37b52457792110 /TODO | |
parent | aac1734a70b60da97d4d24930f1902ca46894b44 (diff) |
checkpath: fix CVE-2018-21269
This walks the directory path to the file we are going to manipulate to make
sure that when we create the file and change the ownership and permissions
we are working on the same file.
Also, all non-terminal symbolic links must be owned by root. This will
keep a non-root user from making a symbolic link as described in the
bug. If root creates the symbolic link, it is assumed to be trusted.
On non-linux platforms, we no longer follow non-terminal symbolic links
by default. If you need to do that, add the -s option on the checkpath
command line, but keep in mind that this is not secure.
This fixes #201.
Diffstat (limited to 'TODO')
0 files changed, 0 insertions, 0 deletions