oss-sec mailing list archives
Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync
From: Solar Designer <solar () openwall com>
Date: Sat, 21 Oct 2017 12:58:47 +0200
Robert, As a moderator, I let your questions through so far, as well as all replies. I think it is in fact beneficial to question things and make sure people are on the same page as to what constitutes (or does not constitute) a security issue, and what exactly the issues are. That said, please remember that your messages reach thousands of people and take up a tiny bit of each person's time - which adds up to way more time than you probably put into writing these messages. Thus, you're expected to invest quite some time into reading and thinking of the replies you got so far before you post anything further. To make this specific, please stop and re-read and think for 10 minutes before you possibly post anything else to this mailing list. I feel that you posted the below without giving it enough time and thought first: On Fri, Oct 20, 2017 at 11:08:14PM +0000, Robert Watson wrote:
Okay, so a script adds a symlink to /etc/shadow or something else confidential. Unless they're root, what good does it do them? They can't read it.
I think this specific question had already been addressed by Ben in: http://www.openwall.com/lists/oss-security/2017/10/18/12 "There's stuff that will be protected by permissions (for example, you shouldn't be able to pull down /etc/shadow - so long as nginx/apache isn't running as root), but there are other files that you might consider sensitive(ish). Pulling down /etc/passwd would give you a list of known good usernames to better target brute-force attempts (for example). Or perhaps using it to grab the config file of some dynamic site on the same server etc." When a thread starts going in circles like that, as a moderator I have to intervene and stop it. So I do. While we're at it, I also recommend that you avoid top-posting and over-quoting. Here's how to format your messages better: http://www.complang.tuwien.ac.at/anton/mail-news-errors.html http://www.netmeister.org/news/learn2quote.html I don't find this message formatting aspect terribly important per se, but I may use it as yet another unreliable indicator of whether the person posting cares for other people's time or not. If someone top-posts and quotes the previous message in its entirety on a mailing list (not in business correspondence, where this unfortunately became customary), chances are they didn't think much of what they're replying to and what they're posting as well. Alexander
Current thread:
- CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Bastian Blank (Oct 17)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Ben Tasker (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 19)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Seth Arnold (Oct 19)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 20)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Ben Tasker (Oct 20)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Solar Designer (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Simon McVittie (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Ben Tasker (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Seth Arnold (Oct 20)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Bastian Blank (Oct 21)