On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote: > > Von: Ondřej Surý [mailto:ond...@sury.org] > > > > Hi, > > > > TL;DR: "s/touch -c/touch -c -h/", right? > > This will fix it for arbitrary symlinks, the only remaining issues would > be > > a) keeping open a file ".. xxxx", which will update the parent directory > modification time.
Which parent directory? The session dir or the symlink targe parent directory? > b) keeping open a file "[otherfilename] [random]", which will prevent > arbitrary other sessions from timing out. Since most likely malicious > process should be "www-data", this is not of any significance. The httpd user (www-data) has access to all session files if the attacker know the session name. Cheers, -- Ondřej Surý <ond...@sury.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
