Hi Sven, * Sven Dowideit <[EMAIL PROTECTED]> [2007-10-23 10:37]: > I have a few questions: > > Whats the difference between > > chmod 777 /var/lib/twiki/working/tmp > > and > > chmod 777 /tmp/twiki
Can you please read the mail I wrote and Cced you in? I remember I wrote "The old solution is of course not secure too." > as that is all it seems to me you're suggesting is the difference > between a CVE raised on a maybe problem that requires a very odd set of > circumstances and what you have labled as a grave error. > > The tmp dir is used (mostly from apache, but also from the command line > and cron jobs) for session files and rcs for its very short lived > temporary files. > > working/tmp is NOT used for any web data, it is used by rcs (presumably > responsible for its own security) and for session files which have their > own uniqued filename. NOONE SAID THERE IS ANY WEBCONTENT STORED IN THERE, CAN YOU PLEASE JUST READ UP WHAT A SYMLINK ATTACK IS? THANKS! > and so, I think you are in error, and need to read the code a little > before you make assertions like this. Are you going to tell me that this directory in which every user can write is *not* used by any process running with different priviledges than with the user ones? If yes, you are right, if not you are not, simple as is. And I don't make any assertions, I just saw that you set insecure file permissions /var and there is no reason to, look at your own /var, not more not less. This is the last mail from my side as long as you ignore what I wrote in previous mails. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpyQAcawI3he.pgp
Description: PGP signature
