On Sun, 29 Jun 1997, Eric Thomas wrote: > On Sun, 29 Jun 1997 10:02:07 -0400 David R Nessl <[log in to unmask]> said: > >The technical problem in Unix is symlinks: a clever user could move > >their /u/username/list-archives directory to another place and create > >the symlink /u/username/list-archives -> newplace. > > That assumes the user owns another directory on the system that is not > within the /u/username tree, which on a normal system would not be the > case. No, it could be moved to another subdirectory under their own home directory, eg. /u/username/hidden-archives. That's the same filesystem, and there's no need for it to be world-writable. > >Then, LISTSERV's archive writing would still work but the `chown -R` > >would not. > > Just write your own program that traverses symbolic links, it should take > about 30 min. OK, so someone moves their list-archive directory and then symlinks to /etc/passwd or to LSVROOT; then later your suggested ownership-changer program runs and gives the user ownership of files he shouldn't have. I don't think so. At this point I realize I'm not going to convince you to create the exit, but I hope you at least recognize the reality of the problem, i.e. it can't reliably be fixed by later processing. > An even simpler alternative would be to > put the per-user directory somewhere that the users can't access at all. How? If end-users own the files (in order to get the charging right), then because of the single directory tree in Unix those files will always be a accessible by the owners. > It is actually a very bad idea to put these files under a Joe User > directory where they can be manipulated randomly by someone who does not > necessarily understand what these files are for and how they work. > LISTSERV assumes that the files are not being tampered with by a third > party while it uses them. I'll bet a large sum that the average user will > assume that the digest file is here to be freely edited without worries, > that these weird large unprintable dbwhatever files are designed to be > removed so you can save disk space, and that the other log files can also > be edited freely and without precaution. Then you'll be wondering why you > get strange errors in your LISTSERV log :-) I just don't see any reason > to give users a free run on these files. That's a valid concern. So we should leave those small files (LISTNAME.dbXXXX) owned by listserv, but change the ownership on the really big files, i.e. the LISTNAME.logXXXX files, for charging. David R Nessl -- Coordinator, Computer Systems (sysprog/sysadmin) http://www.nerdc.ufl.edu/~david