On Mon, 29 Dec 1997, Jon Lewis wrote:
> On Mon, 29 Dec 1997, Rob Hagopian wrote:
>
> I finally did run into a situation where the symlink patch caused some
> trouble, though the situation was resolvable. Here's a hypothetical
> situation similar to the one I ran into.
>
> Say we have a directory, /home/html/testing, mode 1775, owned by
> root.wwwadm. The dir is sticky because several "admins" have write
> access to it, but root doesn't want them stepping on each others
> creations. Several people in group wwwadm make symlinks from this
> directory to other directories. Kernel is upgraded to one with the
> stack+symlink patches, suddenly the symlinks above do not work unless
> chown'd to root.
>
> Maybe that sort of situation was fairly unique, but I think it
> demonstrates, as others have suggested, that it would be nice if there
> were some way via /proc to enable|disable the symlink security features on
> a directory by directory basis.
>
> > These should dramaticly decrease the security holes due to bad user-space
> > programming and so I really don't see why they should be excluded from the
>
> In my case, I decided the advantages outweighed the disadvantages, and
> have not considered removing the patches. I doubt I'll ever willingly
> compile kernels (at least for my own use) without these patches again.
>
> ------------------------------------------------------------------
> Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
> Network Administrator | be proof-read for $199/message.
> Florida Digital Turnpike |
> ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
>