On Mon, Sep 10, 2012 at 11:14 PM, James Antill <[email protected]>wrote:
> On Mon, 2012-09-10 at 18:57 +0200, [email protected] wrote: > > On Mon, Sep 10, 2012 at 3:51 PM, Zdeněk Pavlas <[email protected]> > wrote: > [...] > > > + st = misc.stat_f(user) > > > + if st and st.st_size == po.size: > > > + try: > > > + shutil.copy2(user, local) # user-writable, > > > must copy > > > + if po.verifyLocalPkg(): > > > No problem with the code, but is this safe to just copy packages from a > > unpriv user tmp directory from a security point of view ? > > Can it be used for injection of infected packages from a unpriv user ? > > In theory the user can do "bad things" to the file between the stat() > and the copy() (Eg. make the file 666x bigger) ... but the window is > really small, and the attack will only last until we hit EOF and then > verifyLocalPkg() will get it rm'd. Probably the worst is if the user can > replace the original file with pipe in that window (then we'll never hit > EOF until they tell us to). > If we are pushed, we can create our own copy() that takes an inode + > maxsize and checks both as it copies. > In general I'm much more worried about tree walking from a security POV > (Esp. given there have been actual DOS attacks involving glob()). > > But on the other side, we have to worry even less about it if we only > look at a specified path. > > _______________________________________________ > Yum-devel mailing list > [email protected] > http://lists.baseurl.org/mailman/listinfo/yum-devel > Ok, ACK
_______________________________________________ Yum-devel mailing list [email protected] http://lists.baseurl.org/mailman/listinfo/yum-devel
