Hi Igor, I opened bug #25904 <https://savannah.gnu.org/bugs/index.php?25904> for this, please add the findings to that if needed. I will check more on this tomorrow. Note, this is not a security issue - it is only the owner that can touch the file, but it can lead to overwriting data that you didn't want to have overwritten. A nuisance of course. GNUstep is not using anything that can override the operating systems permissions checks, it is all built upon standard base libraries (glibc etc).
// Tim On Wed, Mar 18, 2009 at 12:19 AM, Igor Pirnovar <[email protected]> wrote: > Hi Tim, > > Let me add that the above security bridge is not only manifested when you > set the {{ atomically: YES }} but also when you do not use this feature! > > Torli > > > On Tue, 2009-03-17 at 19:18 -0400, Torli Birnbauer wrote: > > On Tue, 2009-03-17 at 23:38 +0100, Tim Kack wrote: > > Hi all, > > Yes - I am not sure if this is intended behavior or not. > The file is created/written to like this: > 1. Create a unique file > 2. Write string to that file > 3.Using glibc Rename function to rename the unique file to the old file. > (NSData.m:1054) > 4. Set the attributes on the new unique file > > The docs for rename(const char *oldname, const char *newname) function says > that: > "If oldname is not a directory, then any existing file named newname is > removed during the naming operation." > I tried to figure out what is _intended_ to happen but I have not found > anything so far. > > I will open up a bug on Savannah. > > // Tim > > 2009/3/17 Torli Birnbauer <[email protected]> > > I have just started to learn the GNUstep's development environment and I > have in my very first program stumbled across a serious security problem in > the way Objective-C handles IO. Obviously, Objective-C does not honour Unix > file permissions. You can reproduce this problem on Unix/Linux systems by > setting {{ chmod 000 /some/dir/your.data }}, and then run the example > program in the GNUstep documentation page (Base Programming Manual/The > Objective-C Language) under "2.8.5 Loading and Saving Strings" by setting > the path to {{ /some/dir/your.data }}. > > Torli > > _______________________________________________ > Discuss-gnustep mailing list > [email protected] > http://lists.gnu.org/mailman/listinfo/discuss-gnustep > > >
_______________________________________________ Discuss-gnustep mailing list [email protected] http://lists.gnu.org/mailman/listinfo/discuss-gnustep
