nano-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nano-devel] what is --nofollow good for?

From: Kamil Dudka
Subject: Re: [Nano-devel] what is --nofollow good for?
Date: Mon, 01 Feb 2016 16:37:57 +0100
User-agent: KMail/4.14.10 (Linux/4.3.3-303.fc23.x86_64; KDE/4.14.16; x86_64; ; ) 
On Monday 01 February 2016 09:30:50 address@hidden wrote:
> On 28 Jan 2016 16:18, Mike Frysinger wrote:
> > On 28 Jan 2016 19:54, Benno Schulenberg wrote:
> > > On Thu, Jan 28, 2016, at 17:47, Mike Frysinger wrote:
> > > > On 28 Jan 2016 10:01, Benno Schulenberg wrote:
> > > > > So this hasn't been working for at least twelve years.
> > > > > (And why should it?  If they want the symlink gone, they
> > > > > can simply delete it beforehand.  Why should nano do the
> > > > > work for them?)
> > > > 
> > > > because when you try to edit files in dirs that others have access
> > > > to, you want to make sure a save operation does not get redirected
> > > > to a place you did not intend.  simply saying "if there's a
> > > > symlink, you should delete it first" doesn't help.
> > > 
> > > Okay.  However, if the current code were working correctly,
> > > then there is a little time between the unlink of the symlink
> > > and the open(O_WRONLY | O_CREAT | O_TRUNC) of the file to be
> > > written.  So there is a window for someone to quickly recreate
> > > the symlink.  So --nofollow would give a false sense of security.
> > 
> > i'm not suggesting nano works well currently ;).  just providing
> > a real world example of where this functionality makes sense.  if
> > you don't want to support it, then so be it.
> > 
> > > Also, is there any other editor that has this feature: overwrite
> > > symlinks instead of following them?
> > 
> > no idea
> 
> This is just a short list
> 
> Editor name   Vulnerable      Notes
> ne            Y               It's full name is nice editor
> nedit         Y               Yells, screams, but still is vulnerable
> libreoffice   Y               Warns that file has changed, but not how
> xemacs                Y               Warns that file has changed, but not how
> adie          Y               brings up save dialogue every time
> 
> Sincerely, David

Vulnerable to what?  The symlink attack?

nano defends this by printing the "File was modified since you opened it, 
continue saving ?" prompt, does not it?

    
http://svn.savannah.gnu.org/viewvc/trunk/nano/src/files.c?root=nano&r1=4344&r2=4343

This used to be referred to as CVE-2010-1160:

    https://access.redhat.com/security/cve/cve-2010-1160

Kamil
reply via email to
[Prev in Thread] Current Thread [Next in Thread]