On Fri, Jun 07, 2002 at 04:50:23PM -0400, Lawrence Teo wrote: > My point is, if config.guess can be hardened against such potential symlink > attacks, why shouldn't it be? Of course, it would be great to educate all > admins not to build stuff as root. But it would also be a responsible thing > to fix config.guess if we know that there's a potential issue in there.
[snip] > Likewise, having a "hardened" config.guess file would not necessarily > prevent symlink attacks, but it'll definitely make it much harder for an > attacker to exploit it, even if the admin is sloppy. An attacker is hardly likely to distribute a "hardened" config.guess Build untrusted packages as root. Hose your system. Repeat until lesson is learned: do not built untrusted packages as root. Bernd Jendrissek
