> On Mon, Apr 30, 2001 at 12:19:32 +0100, Simon Marlow wrote:
> > > So, I think a safe solution is to ensure that the .ghci
> file belongs
> > > to the user. Checking for decent permissions would
> increase security,
> > > but well, IMO it's the users' fault, if he creates a 777 .ghci :-P
> >
> > I've thought about this a bit more. It's not enough to
> just check the
> > owner and permissions of .ghci if the current *directory* is world
> > writable.
>
> If user X writes/modifies ./.ghci, then it gets the ownership of X,
> doesn't it?
>
> How do I trick the file system to keep the ownership of the modified
> file to the original user?
I think to be on the safe side, we need to check that both "." and
"./.ghci" are owned by the current user and aren't world writable. Is
that sufficient?
If you check ownership first then open the file, there's a security hole
because an attacker can replace the file before we open it. If you do
it the other way around, there's still a security hole unless you use
fstat() (this is one reason why using access() is generally
discouraged). Using fstat() isn't particularly convenient from Haskell
- there's Posix.getFdStatus, but we'd have to use the Posix openFile
interface and fdToHandle. Alternatively we also can check ownership of
the directory.
Cheers,
Simon
_______________________________________________
Glasgow-haskell-bugs mailing list
[EMAIL PROTECTED]
http://www.haskell.org/mailman/listinfo/glasgow-haskell-bugs
