The Fungi <fu...@yuggoth.org> writes: > On Sat, May 15, 2010 at 02:34:57PM -0700, Russ Allbery wrote:
>> That's a good idea. I'm not sure if all UNIX group systems allow one to >> ask how many users are a member of a particular group, but if there's a >> way to ask that question at least in those group systems that support >> it, the implementation should be fairly straightforward. > This is racy, unfortunately (at least by itself). Consider a non-UPG > system which starts with one user... this check passes and files get > created with group write flagged. Later, subsequent users appear sharing > that same group and the default umask stops making new files > group-writeable, but the first user's original files are now able to be > modified by others (and then his account is immediately at risk of being > taken over by one of the new users without his knowledge). > Of course, coupled with other checks like uname==gname, parsing > login.defs, et cetera, it could add an extra layer of assurance. Right, exactly. You also check that username == group name, but it's an additional check to be sure that the group doesn't just happen to look like a user private group but isn't. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ljbjg05j....@windlord.stanford.edu
