[Stable 7] CPIO breakage/

Sean Bruno seanbru at yahoo-inc.com
Fri Jun 18 17:51:51 UTC 2010


On Thu, 2010-06-17 at 15:13 -0700, Xin LI wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On 2010/06/17 13:53, Peter Jeremy wrote:
> > On 2010-Jun-15 17:22:50 -0700, Xin LI <delphij at delphij.net> wrote:
> >> On 2010/06/15 17:05, Sean Bruno wrote:
> >>> A little more background.  It looks like symlinks are getting stripped
> >>> of their '/' which sucks.  Ideas?
> > ...
> >>> e.g. /home/foo/bar -> /opt/baz/blob
> >>>
> >>> becomes
> >>>
> >>> home/foo/bar -> opt/baz/blob   
> >>>
> >>> Yuck.
> >>
> >> This is a security measurement I think.
> > 
> > Can someone please explain how stripping a leading '/' off the
> > destination of a symlink enhances security?  The destination is
> > not being written to.
> > 
> >> --absolute-filenames disables this behavior.
> > 
> > This definitely reduces security and would seem to be far more
> > dangerous than being able to create symlinks to absolute pathnames.
> 
> Sorry I have misunderstood the original issue.  It's the link target
> being mangled and doesn't seem right to me.  I'll ask the author about this.
> 
> The attached patch should restore the old behavior.
> 
> Cheers,
> - -- 
> Xin LI <delphij at delphij.net>	http://www.delphij.net/
> FreeBSD - The Power to Serve!	       Live free or die



Yep, *this* patches seems to make things much happier.  I'll integrate
cpio 2.8 back into the Yahoo tree when this is merged in.  

Thanks for your patience and work on -stable.

Sean



More information about the freebsd-stable mailing list