aboutsummaryrefslogtreecommitdiff
path: root/TODO
diff options
context:
space:
mode:
authorWilliam Hubbs <w.d.hubbs@gmail.com>2020-11-20 09:15:59 -0600
committerWilliam Hubbs <w.d.hubbs@gmail.com>2020-11-20 09:15:59 -0600
commitb6fef599bf8493480664b766040fa9b0d4b1e335 (patch)
tree25d19243ee73dfd5cc6e36572b37b52457792110 /TODO
parentaac1734a70b60da97d4d24930f1902ca46894b44 (diff)
checkpath: fix CVE-2018-21269
This walks the directory path to the file we are going to manipulate to make sure that when we create the file and change the ownership and permissions we are working on the same file. Also, all non-terminal symbolic links must be owned by root. This will keep a non-root user from making a symbolic link as described in the bug. If root creates the symbolic link, it is assumed to be trusted. On non-linux platforms, we no longer follow non-terminal symbolic links by default. If you need to do that, add the -s option on the checkpath command line, but keep in mind that this is not secure. This fixes #201.
Diffstat (limited to 'TODO')
0 files changed, 0 insertions, 0 deletions