My kneejerk reaction is that it's not worth making this change. The attack in question will work against almost any program that is operated in an insecure directory, including the "chmod" program itself. It'd be a real pain to work around this problem in all applications, one at a time, and it's not at all clear to me that it's even doable in general.
I suggest simply warning users that if you let bad guys modify your directories, you're asking for trouble. Which is certainly true in any event. That being said, it would be an easy security improvement if mkdir -m would use lchmod rather than chmod, on platforms where lchmod is available. There may be several other programs where this would be advisable as well, and similarly for lchown versus chown. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
