Hi, On Tuesday 23 October 2007 22:14, Joey wrote: > I would not recommend considering this wikipedia page an authoratitive > reference for what can and cannot be used for symlink attacks.
Right.
Nonetheless I found it useful to quickly point out the problem, even if the
solution is not optimal.
> It's much simpler and better to simply use security best practices that
> avoid such attacks alltogether. For example, make sure that temp files
> are opened with O_EXCL and symlink attacks become impossible.
>
> Never using mode 777 directories, and at least using +t on shared
> temporary directories such as /tmp is another such best practice that
> avoids a whole class of security problems.
Does the (testing) security team have a comprehensive page with security best
and worst practices? To be able to point people at it, so one doesnt have to
point at "random" wikipedia pages or google hits?
regards,
Holger
pgpWXj6omn88w.pgp
Description: PGP signature
