From: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net>
To: Patrick McHardy <kaber@trash.net>
Cc: Gervasio Bernal <gervasiobernal@speedy.com.ar>,
netfilter-devel@lists.netfilter.org
Subject: Re: New extension: CRYPT target
Date: Tue, 23 May 2006 19:14:28 +0200 [thread overview]
Message-ID: <447342F4.2010405@gmx.net> (raw)
In-Reply-To: <44734149.2040900@trash.net>
Patrick McHardy wrote:
> Carl-Daniel Hailfinger wrote:
>> Gervasio Bernal wrote:
>>
>>> One possible solution would be to use a file to store the key, and chmod
>>> that file.That would be correct?
>>
>> No. Still leaves a race. You have to chmod the file before you store the
>> key in it. Then it would be ok.
>
> You are both very wrong :) What prevents someone from opening it
> before the chmod, and read it afterwards? This is what umask is
> for ..
umask alone won't help. If an attacker creates a file with the same
name in the same place before you open it and has that file open
before you write to it, he will still win. Correct umask and
opening it with O_CREAT|O_EXCL should mostly be safe, though.
I assume you want to do all this stuff as root. If /root is
only readable by root, create the file there and you should be
safe.
Regards,
Carl-Daniel
--
http://www.hailfinger.org/
next prev parent reply other threads:[~2006-05-23 17:14 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-21 15:59 New extension: CRYPT target Gervasio Bernal
2006-05-21 17:01 ` Carl-Daniel Hailfinger
2006-05-21 21:15 ` Gervasio Bernal
2006-05-21 22:17 ` Carl-Daniel Hailfinger
2006-05-22 23:49 ` Gervasio Bernal
2006-05-23 16:27 ` Gervasio Bernal
2006-05-23 16:46 ` Carl-Daniel Hailfinger
2006-05-23 17:07 ` Patrick McHardy
2006-05-23 17:14 ` Carl-Daniel Hailfinger [this message]
2006-05-23 23:13 ` Gervasio Bernal
2006-05-24 5:03 ` Patrick Schaaf
2006-05-23 18:26 ` Michael Richardson
2006-05-21 22:57 ` Michael Richardson
2006-05-22 23:36 ` Gervasio Bernal
2006-05-23 13:08 ` Michael Richardson
2006-05-23 17:19 ` Gervasio Bernal
2006-05-21 17:51 ` Martijn Lievaart
2006-05-21 20:34 ` Cedric Blancher
2006-05-21 21:01 ` Gervasio Bernal
2006-05-21 22:54 ` Michael Richardson
2006-05-21 20:27 ` Gervasio Bernal
2006-05-25 16:11 ` Lennart Poettering
2006-05-26 18:12 ` Gervasio Bernal
2006-05-26 18:25 ` Patrick McHardy
-- strict thread matches above, loose matches on Subject: below --
2006-05-23 23:33 Gervasio Bernal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=447342F4.2010405@gmx.net \
--to=c-d.hailfinger.devel.2006@gmx.net \
--cc=gervasiobernal@speedy.com.ar \
--cc=kaber@trash.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.