> User comes to you and says "I accidentally deleted my most important > directory. I know that you make daily backups. Can you restore > it from backup?" > > You do > > cp -a /backup/home/user/dir /home/user > > But user has crafted it so that backup contains > dir/many_more_dirs/innocuous_file, and he also > created a symlink > > ln -s /etc/passwd /home/user/dir/many_more_dirs/innocuous_file > > Now imagine the effect of the above cp command. > Personally, I would never restore a backup over an existing directory, but to an empty one. From there I (or the user) could move the needed files to the right place.
But I see your point. > The attacker don't write file himself. He tricks root into doing it. > The attacker creates the link and then must tick root into writing to it. That was clear. > GNU coreutils have cp --remove-destination. I think people > will forget to use it until it's too late. > > I see that for "cp file1 file2" it is a problem, > but for "cp -r dir1 dir2" it is exactly what you want. right? > So "cp -r" would imply "--remove-destination", while "cp without -r" would not? I think that is a good solution, better that differentiating between regular and device files. Regards Ralf Friedl _______________________________________________ busybox mailing list busybox@busybox.net http://busybox.net/cgi-bin/mailman/listinfo/busybox