Hello,

policyd-weight still did not check the working directory correctly.

    1st: I assumed  [ -L /foo/bar ] is the same as [ -L /foo/bar/ ]

    because the -L tells the file test what to look for. But in the
    latter form it is checked with S_IFDIR. 

    We normalize the path with File::Spec->canonpath as s,/+$,, is
    not sufficient.


    2nd: policyd-weight didn't check the ownership of real directories
    which might have been resulted in a race attack. Policyd-weight once
    gets the stat/lstat and reuses that information in order to
    provide some sort of atomicity of the check_symlnk() sub-routine.




MD5 (policyd-weight)                        =
    68373b7cfeda52b78df6229ed658771e

SHA256 (policyd-weight)                     = 
    4245495685e516e00a363a97aaa17456f48c51fcbdb4458989a9d68db64083bc

MD5 (policyd-weight-0.1.14.17.tar.gz)       =
    c90128d2442ba343e8127dc0dbdcfd9a

SHA256 (policyd-weight-0.1.14.17.tar.gz)    =
    c13bac397cbd8c018b41686da4e4ce9450fb045752d7f0ab518d9836b39dbf36



-- 
    Robert Felber (PGP: 896CF30B)
    Munich, Germany

____________________________________________________________
Policyd-weight Mailinglist - http://www.policyd-weight.org/

Reply via email to