Re: link() security
H. Peter Anvin (hpa@zytor.com)
15 Apr 2002 12:25:27 -0700
Followup to: <s5gpu11rpgx.fsf@egghead.curl.com>
By author: "Patrick J. LoPresti" <patl@curl.com>
In newsgroup: linux.dev.kernel
> Actually, that is a horrible policy from a security perspective. The
> shared mail spool itself is a poor design and always has been.
>
> A better design is to use a separate spool directory for each user
> (/var/spool/mail/user/ or ~user/mail/ or somesuch), and only allow
> that user to access it at all. This solves *all* of the security
> problems you mention:
>
> *) It avoids attacks based on race conditions, because you cannot
> create files in somebody else's spool.
>
> *) Admins can manage space with quotas or partitions just like they
> do for user home directories (i.e., it is a solved problem).
>
> *) You cannot link() to somebody else's spool file because you
> cannot even read the directory in which it resides.
>
> The solution to a fundamentally broken spool design is to fix that
> design, not to patch the kernel in nonstandard ways to plug just one
> of its multiple flaws.
Not to mention the fact that the single file mailbox design is itself
flawed. Mailboxes are fundamentally directories, which news server
authors quickly realized.
-hpa
--
<hpa@transmeta.com> at work, <hpa@zytor.com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt <amsp@zytor.com>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/