On 2007-11-11 23:29, Alain Williams wrote:
> /* It is possible, if unlikely, that the restricted directory will have been specified with
> * a symlink or .. in it. That will totally blow comparisions in allowed_access(). Resolve this.
> */


The likelihood that the restricted directory path will contain a symlink
or .. is completely unknown to your patch. In some organizations, the
likelihood may be as high as 1.

realpath() requires readability on all parent directories, which is also
not guaranteed.

You could get closer to your desired behavior by doing a stat on the
restricted directory, then iteratively calling stat(2) the directory
containing the resolved name and checking for identity (device+inode)
with the restricted directory, working your way back directory
components until either identity is found (allow) or the resolved path
is empty (disallow). This emulates what realpath(3) does without having
to generate the actual return path, and works because you can stat(2) a
directory you can traverse but not read.

--
Jefferson Ogata
NOAA Computer Incident Response Team (N-CIRT)
"Never try to retrieve anything from a bear."--National Park Service
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev