Is there a reason we do not turn on the file system hardlink/symlink protection in Rawhide?
Konstantin Ryabitsev
icon at fedoraproject.org
Thu Mar 14 03:03:23 UTC 2013
On Wed, Mar 13, 2013 at 2:55 PM, seth vidal <skvidal at fedoraproject.org> wrote:
>
> I apologize for the ignorance - but what do these _do_.
>
> (please don't say they protect your hardlinks and symlinks) - I mean
> what does 'protected' mean in this context.
It's an fs-level implementation of Apache's SymlinksIfOwnerMatch. It
closes a number of vulnerabilities, such as taking advantages of
insecure tempfile handling (you think you're writing to
/tmp/myapp.debug, but a malicious symlink points that to
/etc/somethingoranother).
I agree that we should turn this on by default.
Best,
--
Konstantin Ryabitsev
LinuxFoundation.org
Montréal, Québec
More information about the devel
mailing list