httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: [PATCH] remove bogus LockFile warning from docs
Date Mon, 22 Dec 1997 23:27:16 GMT


On Mon, 22 Dec 1997, Marc Slemko wrote:

> I really really would suggest that any system which doesn't honor
> O_CREAT|O_EXCL properly is so bogus that it isn't worth thinking about.
> This is far from your only security problem on such a system... the
> problem is that a warnin like what was there directly conflicts with
> advice to "put it in /var/tmp" that we (I) give.

The stuff I'm worried about is what happens with symlinks and
O_CREAT|O_EXCL.  For example:  "ln -s /var/tmp/accept_lock.9999
/etc/nologin".  On a system using flock() this creates a nice DoS.  The
single unix spec doesn't require any symlink tests to be performed. 

Yeah /var/tmp is an easy off-the-cuff answer.  /var/run is probably better
where it exists. 

Dean


Mime
View raw message