Comment 23 for bug 634183
Revision history for this message
|
|
#23 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
I made no claim that POSIX ACL's have any security risk.
What I said is
1) there is other data attached to an inode beyond setuid/
that also will track with hardlink attacks. And its not just privilege escalation
that can lead to attack vectors, all of ACL's/capabilit
2) the solution should not be attempted in RPM, nor with endless
CVE's. RPM (or any application) cannot solve hardlink attacks.
3) There are other and more serious issues in RPM that are in
need of a CVE.
I'm not the moron who decided that a CVE was needed because RPM
did not clear POSIX ACL's
And I'm also not the moron who claimed that I dropped a security related
patch while checking into RPM CVS back in 2005.