Update of bug #17427 (project coreutils): Status: None => Wont Fix Open/Closed: Open => Closed
_______________________________________________________ Follow-up Comment #1: [I also replied to the Debian bug list, but here's another copy.] This patch doesn't look safe to me. mkfifo and mknod should not open device files or fifos, since this has undesirable side effects in some cases. For example, opening and then closing a tape drive might rewind it. As I wrote in April 2005, the original security issue is not a vulnerability in coreutils; it's a problem inherent to the Unix model. We cannot "fix" it by patching coreutils (and hundreds of other utilities). We must simply say: users cannot rely on directories that are writeable by untrusted users, unless the directories are sticky and are owned by trusted users. Sorry, but that's life in the Unix/Linux world. That being said, mkdir can be made a bit "safer". It cannot be made completely "safe", though, in the sense that you're asking for, since in some cases mkdir won't be able to read the newly-created directory (and therefore can't open it) but POSIX still requires mkdir to chmod it in this case. Hence the patch you submitted here isn't quite right, since it sometimes gives up when it shouldn't. We have fixed mkdir a different way in coreutils test version 6.1 <ftp://alpha.gnu.org/gnu/coreutils/coreutils-6.1.tar.gz>, so that it uses fchmod if possible, and falls back on chmod otherwise. _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/bugs/?17427> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ _______________________________________________ Bug-coreutils mailing list Bug-coreutils@gnu.org http://lists.gnu.org/mailman/listinfo/bug-coreutils