[Novalug] Gzip security hole?
Tux subscriber Dave Aronson
tux2dave at davearonson.com
Thu Sep 13 11:16:07 EDT 2007
Mike Shade [mailto:mshade at mshade.org] writes:
> why and how do I have permission to remove the file?
Because:
> This assumes that the current directory is writable to your user,
If you can write the dir, you can remove a file. Writing a dir *is* removing, or adding, or changing the data about, files (including subdirs). Doesn't matter who owns the file, or what permissions you've got on it. I don't think this is a security hole itself, though failure to realize it may lead to one.
Can you think of any file that root would be putting in a dir that someone else has write access to, that would present a security risk if its ownership were changed? I can't offhand....
-Dave
--
Dave Aronson
"Specialization is for insects." -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/
More information about the Novalug
mailing list