On Sun, 29 Jun 1997, Eric Thomas wrote:
> On Sun, 29 Jun 1997 10:02:07 -0400 David R Nessl <[log in to unmask]> said:
> >The technical problem in Unix is symlinks: a clever user could move
> >their /u/username/list-archives directory to another place and create
> >the symlink /u/username/list-archives -> newplace.
>
> That assumes the user owns another directory on the system that is not
> within the /u/username tree, which on a normal system would not be the
> case.
No, it could be moved to another subdirectory under their own home
directory, eg. /u/username/hidden-archives. That's the same filesystem,
and there's no need for it to be world-writable.
> >Then, LISTSERV's archive writing would still work but the `chown -R`
> >would not.
>
> Just write your own program that traverses symbolic links, it should take
> about 30 min.
OK, so someone moves their list-archive directory and then symlinks to
/etc/passwd or to LSVROOT; then later your suggested ownership-changer
program runs and gives the user ownership of files he shouldn't have. I
don't think so.
At this point I realize I'm not going to convince you to create the exit,
but I hope you at least recognize the reality of the problem, i.e. it
can't reliably be fixed by later processing.
> An even simpler alternative would be to
> put the per-user directory somewhere that the users can't access at all.
How? If end-users own the files (in order to get the charging right),
then because of the single directory tree in Unix those files will always
be a accessible by the owners.
> It is actually a very bad idea to put these files under a Joe User
> directory where they can be manipulated randomly by someone who does not
> necessarily understand what these files are for and how they work.
> LISTSERV assumes that the files are not being tampered with by a third
> party while it uses them. I'll bet a large sum that the average user will
> assume that the digest file is here to be freely edited without worries,
> that these weird large unprintable dbwhatever files are designed to be
> removed so you can save disk space, and that the other log files can also
> be edited freely and without precaution. Then you'll be wondering why you
> get strange errors in your LISTSERV log :-) I just don't see any reason
> to give users a free run on these files.
That's a valid concern. So we should leave those small files
(LISTNAME.dbXXXX) owned by listserv, but change the ownership on the
really big files, i.e. the LISTNAME.logXXXX files, for charging.
David R Nessl -- Coordinator, Computer Systems (sysprog/sysadmin)
http://www.nerdc.ufl.edu/~david
|