On 20040102T110521+0100, Javier Fernández-Sanguino Peña wrote: > commands it might be worthwhile to check their permissions and ownership > before making use of them (i.e. ensuring they are not world-writable and > that they belong to the current runing user).
... or to root, obviously. Yes, I was planning on doing that. > It is very common, however, to use configuration files in a way that they > can modify the way code is executed. For example: My concern is not that the file changes how the code works. It already does that. My concern is that if I add that pipe feature, a configuration file will be able to specify arbitrary shell commands to be executed without the user noticing it. My problem is, does this create a security problem. > http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/file-contents.html Thanks for that link. -- Antti-Juhani Kaijanaho, Debian developer http://www.iki.fi/gaia/
signature.asc
Description: Digital signature
