On Tuesday 11 September 2007 17:32, Ralf Friedl wrote: > > User comes to you and says "I accidentally deleted my most important > > directory. I know that you make daily backups. Can you restore > > it from backup?" > > > > You do > > > > cp -a /backup/home/user/dir /home/user > > > > But user has crafted it so that backup contains > > dir/many_more_dirs/innocuous_file, and he also > > created a symlink > > > > ln -s /etc/passwd /home/user/dir/many_more_dirs/innocuous_file > > > > Now imagine the effect of the above cp command. > > Personally, I would never restore a backup over an existing directory, > but to an empty one. From there I (or the user) could move the needed > files to the right place. > > But I see your point. > > > The attacker don't write file himself. He tricks root into doing it. > > The attacker creates the link and then must tick root into writing to > it. That was clear. > > > GNU coreutils have cp --remove-destination. I think people > > will forget to use it until it's too late. > > > > I see that for "cp file1 file2" it is a problem, > > but for "cp -r dir1 dir2" it is exactly what you want. right? > > > So "cp -r" would imply "--remove-destination", while "cp without -r" > would not?
For now I settle for that, with added "and if destination is a symlink, it is never opened (it is unlinked and a file is recreated instead)". This goes regardless of -r. Will see whether this compromise is good enough. -- vda _______________________________________________ busybox mailing list busybox@busybox.net http://busybox.net/cgi-bin/mailman/listinfo/busybox