On Mon, 2012-09-10 at 18:57 +0200, [email protected] wrote: > On Mon, Sep 10, 2012 at 3:51 PM, Zdeněk Pavlas <[email protected]> wrote: [...] > > + st = misc.stat_f(user) > > + if st and st.st_size == po.size: > > + try: > > + shutil.copy2(user, local) # user-writable, > > must copy > > + if po.verifyLocalPkg():
> No problem with the code, but is this safe to just copy packages from a > unpriv user tmp directory from a security point of view ? > Can it be used for injection of infected packages from a unpriv user ? In theory the user can do "bad things" to the file between the stat() and the copy() (Eg. make the file 666x bigger) ... but the window is really small, and the attack will only last until we hit EOF and then verifyLocalPkg() will get it rm'd. Probably the worst is if the user can replace the original file with pipe in that window (then we'll never hit EOF until they tell us to). If we are pushed, we can create our own copy() that takes an inode + maxsize and checks both as it copies. In general I'm much more worried about tree walking from a security POV (Esp. given there have been actual DOS attacks involving glob()). But on the other side, we have to worry even less about it if we only look at a specified path. _______________________________________________ Yum-devel mailing list [email protected] http://lists.baseurl.org/mailman/listinfo/yum-devel
