> From: openssl-users On Behalf Of Michael
> Ströder via openssl-users
> Sent: Sunday, 18 September, 2022 04:27
>
> On 9/18/22 06:09, Philip Prindeville wrote:
> >> On Sep 15, 2022, at 4:27 PM, Michael Wojcik via openssl-users us...@openssl.org> wrote:
> >> You still haven't explained your threa
On 9/18/22 06:09, Philip Prindeville wrote:
On Sep 15, 2022, at 4:27 PM, Michael Wojcik via openssl-users
wrote:
You still haven't explained your threat model, or what mitigation
the application can take if this requirement is violated, or why
you think this is a "best practice". >
The threat
> On Sep 15, 2022, at 4:27 PM, Michael Wojcik via openssl-users
> wrote:
>
>> From: openssl-users On Behalf Of Philip
>> Prindeville
>> Sent: Thursday, 15 September, 2022 15:41
>
>> I was thinking of the case where the directory containing the keys (as
>> configured) is correctly owned, but
> From: openssl-users On Behalf Of Philip
> Prindeville
> Sent: Thursday, 15 September, 2022 15:41
> I was thinking of the case where the directory containing the keys (as
> configured) is correctly owned, but contains a symlink pointing outside of
> that directory somewhere else... say to a file
On 9/15/2022 3:15 PM, Shawn Heisey via openssl-users wrote:
If symlinks are used responsibly, they won't have security risks. In
general, if the program checks the ownership and permissions of the
actual file before using it, it shouldn't matter whether there is a
symlink or not.
As long as
On 9/15/22 15:40, Philip Prindeville wrote:
I was thinking of the case where the directory containing the keys (as
configured) is correctly owned, but contains a symlink pointing outside of that
directory somewhere else... say to a file owned by an ordinary user.
In that case, as has been poin
> On Sep 13, 2022, at 8:10 PM, Shawn Heisey via openssl-users
> wrote:
>
> On 9/13/22 14:17, Philip Prindeville wrote:
>> But what happens when the file we encounter is a symlink? If the symlink is
>> owned by root but the target isn't, or the target permissions aren't 0600 0r
>> 0400...
On 9/13/22 14:17, Philip Prindeville wrote:
But what happens when the file we encounter is a symlink? If the symlink is
owned by root but the target isn't, or the target permissions aren't 0600 0r
0400... Or the target is a symlink, or there's a symlink somewhere in the
target path, etc.
So
> From: openssl-users On Behalf Of Philip
> Prindeville
> Sent: Tuesday, 13 September, 2022 14:17
>
> I'm working on a bug in an application where the application config is given
> the directory path in which to find a key-store, which it then loads.
>
> My issue is this: a regular UNIX file is
Hi,
I'm working on a bug in an application where the application config is given
the directory path in which to find a key-store, which it then loads.
My issue is this: a regular UNIX file is trivial to handle (make sure it's
owned by "root" or the uid that the app runs at, and that it's 0600 o
10 matches
Mail list logo