On Friday 07 June 2013 18:55:46 Lennart Poettering wrote:
> > > On Fri, 07.06.13 12:09, Steve Grubb (sgrubb@redhat.com) wrote:
> > > > > > Maybe the uid can be encoded in the name so that wrong uid's are
> > > > > > skipped?
> User "simo" creates /dev/shm/1000/ even though 1000 is the UID of user
> "lennart". Lennart can never start PA again, ever. And can't do anything
> about it, because "simo" is in control, and /dev/shm is sticky.
Why the UID has to be encoded in the name?
* The application can simply issue an lstat() before open() and skip
files with wrong uid's.
* Obviously, an attacker could try and trigger some race condition on
the name, but than it's OK for the audit to shout about it.
What am I missing?
--
Oron Peled Voice: +972-4-8228492
oron@actcom.co.il http://users.actcom.co.il/~oron
You know, someone once told me that New York has more lawyers than people.
-- Warren Buffett, Fortune, 1999