OpenPGP_signatureDescription: OpenPGP digital signature
|
| From: | Eli Schwartz |
| Subject: | Re: Checking executability for asynchronous commands |
| Date: | Tue, 29 Dec 2020 14:15:52 -0500 |
On 12/29/20 10:28 AM, Chet Ramey wrote:
On 12/28/20 5:30 PM, Eli Schwartz wrote:(Though I have to wonder at these amazing AWOL commands that get uninstalled on people all the time right in the middle of their scripts.It's a potential security concern, though that class of vulnerabilities mostly involves executables being changed between testing and execution.
Right, the race condition / security concern is specifically based on the idea that one is checking for permission / authority to run a program, possibly as setuid, and it gets replaced by something malicious before being used.
If you were going to blindly run the program either way, then having it be *uninstalled* (i.e. does not exist, period) is... probably not going to result in security concerns. It will just fail to run. And it would do so even without the race condition.
By all means, let people be concerned about their commands being replaced by attack code. Not about them being rm'ed.
-- Eli Schwartz Arch Linux Bug Wrangler and Trusted User
OpenPGP_signature
Description: OpenPGP digital signature
| [Prev in Thread] | Current Thread | [Next in Thread] |