Package: manpages-dev Version: 3.03-1 Severity: normal
In recent versions of manpages-dev, the warning about O_EXCL and NFS reads in part: O_EXCL is not supported on NFSv2 or on Linux before kernel 2.6; it is supported on Linux 2.6 and later, with NFSv3 or later. This is false. Linux 2.4.31 does support O_EXCL [0], correctly, it appears. The same code appears to be present in Linux 2.4.0. Additionally, I cannot honestly believe that something as important as O_EXCL (which is required for avoiding root security holes) doesn't actually work at all with 2.4 kernels[1]. It may not work in conjunction with NFS; that's fine, and that should be documented. But the text should not lead people to believe that O_EXCL only works with Linux 2.6, when in fact that's not the case. It might be useful to also explain whether NFS O_EXCL is broken with regard to symlink attacks, as well as locking. [0] http://lxr.linux.no/linux-old+v2.4.31/fs/namei.c#L1072 [1] If this is actually the case, then every program that creates an O_EXCL file as root is vulnerable to symlink attacks. Yay for overwriting /sbin/init! -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-trunk-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages manpages-dev depends on: ii manpages 3.03-1 Manual pages about using a GNU/Lin manpages-dev recommends no packages. Versions of packages manpages-dev suggests: ii man-db [man-browser] 2.5.2-2 on-line manual pager -- no debconf information -- brian m. carlson / brian with sandals: Houston, Texas, US +1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
