On Sun, 29 Jun 1997 10:53:09 -0400 David R Nessl <[log in to unmask]> said:
>No, it could be moved to another subdirectory under their own home
>directory, eg. /u/username/hidden-archives. That's the same filesystem,
>and there's no need for it to be world-writable.
I was assuming that you charge users for ALL their disk space, not just
the space related to LISTSERV. Under that assumption it doesn't matter if
they move the files around within their directory tree.
>OK, so someone moves their list-archive directory and then symlinks to
>/etc/passwd
You would only change files originally owned by LISTSERV, not root files.
>or to LSVROOT;
You have just uncovered a security flaw in your proposed design, which
exist with or without the 'chown' trick. By telling LISTSERV to create
files in a path under user control, you allow the controlling user to
create files anywhere on the system that LISTSERV has write access.
>At this point I realize I'm not going to convince you to create the
>exit, but I hope you at least recognize the reality of the problem, i.e.
>it can't reliably be fixed by later processing.
I am thoroughly unconvinced :-) I just don't understand why you can't do
it like everyone else and have a directory for each user that the users
do not have the beginning of any access to. You then count the space used
within that directory tree and bill for it. In my opinion the only VALID
reason to want the users to own the files is if you want to allow them to
edit them directly, which could make sense for file server related files
where LISTSERV is prepared for this possibility and there is no index
that needs to be kept in synch, etc.
>How? If end-users own the files (in order to get the charging right),
>then because of the single directory tree in Unix those files will
>always be a accessible by the owners.
Not if they lack execute permission to the parent directory.
>That's a valid concern. So we should leave those small files
>(LISTNAME.dbXXXX) owned by listserv, but change the ownership on the
>really big files, i.e. the LISTNAME.logXXXX files, for charging.
If the user owns the directory, this will not be sufficient. And the
reverse index files are by no means small, at least not when multiplied
by 200 users...
Eric
|