> > Yes it does...you're making me nervous Philip, are you about to spring
> > something terrible on us?
>
> It's a standard symlink attack.
>
> Subversion uses apr_temp_dir_get as a location for some temporary
> files. Subversion creates temporary files using APR_CREATE|APR_EXCL
> which would usually ensure that the file really is a file newly
> created by the process. The OS400 code reopens such files which
> allows a number of attacks, e.g. if the attacker can delete the
> original file and replace it with a symlink then the process will
> overwrite the symlink destination.
There was potentially a relevent change in the previous version of OS/400
to prevent this. I have copied the text below. I say "potentially"
because I do not completely understand the issue, but this sounds somewhat
relevant.
Security update to the /tmp, /var, /QOpenSys/var, and
/QOpenSys/var/preserve directories
Starting in V5R3, the /tmp, /var, /QOpenSys/var, and /QOpenSys/var/preserve
directories might have the Restricted rename and unlink attribute set to
Yes. (Note: this attribute is equivalent to the S_ISVTX mode bit for a
directory.) This is being done for operating system commonality and
security purposes. If this attribute value is Yes, you cannot rename or
unlink objects within these directories unless one of the following is
true:
You are the owner of the object.
You are the owner of the directory.
You have all object (*ALLOBJ) special authority (this would be like Unix
root).
Mark
_____________________________________________________________________________
Scanned for SoftLanding Systems, Inc. and SoftLanding Europe Plc by IBM Email Security Management Services powered by MessageLabs.
_____________________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Feb 24 00:05:56 2006