Hello.
Tetsuo Handa wrote:
> The "recursive" option will act something like
>
> allow_write /var/www/html/\*
> allow_write /var/www/html/\*/\*
> allow_write /var/www/html/\*/\*/\*
>
> and I don't think it is secure. It should be something like
>
> allow_write /var/www/html/\*.html
> allow_write /var/www/html/\*/\*.html
> allow_write /var/www/html/\*/\*/\*.html
I added recursive match operators, "\{" (start of repetition) and "\}" (end of
repetition) at revision 3012.
/\{dir\}/ matches more than or equals to 1 repetition of dir (e.g. /dir/
/dir/dir/ /dir/dir/dir/ /dir/dir/dir/dir/ ).
The "\{" operator is permitted in the form of "/\{" sequence only.
The "\}" operator is permitted in the form of "\}/" sequence only.
No '/' is permitted between "\{" and "\}" operators.
Some examples:
/home/vladap/software/firefox/firefox/\{\*\}/\*.dat
/var/www/html/\{\*\-.\*\}/\*.html
/var/www/html/\{\*\-.\*\}/public/\*.html
/home/kumaneko/SVN/\{\*\-.svn\}/\*
/home/kumaneko/SVN/\{\*\}/\$\*/\{\*\}/.svn/entries
The key point is that the pattern enclosed by "\{" and "\}" does not match
the basename component. Users can (or have to) explicitly specify the basename
component (unless it ends with '/'). This is for avoiding insecure matching
like "/var/www/html/\{\*\}".
Also, since "\{" and "\}" are permitted in the form of "/\{" and "\}/" only,
they do not conflict with TOMOYO's pathname subtraction operator "\-".
Does this specification satisfy your needs?
_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
