Fwd: Re: need help with an rsync patch
Matthias Schniedermeyer
ms at citd.de
Tue Aug 13 06:36:53 MDT 2013
On 13.08.2013 14:20, Paul Slootman wrote:
> On Tue 13 Aug 2013, Matthias Schniedermeyer wrote:
> >
> > BUT there is no direct vulnerability in that, only processes after that
> > (like backup/rsync) can make a vulnerability out of it.
>
> ... which is what I already wrote.
I read your sentence differently:
> If he can make a HARD link to the shadow file, then he can already
> read it - and worse.
My understanding of your sentence says:
The ability to hardlink, means that anyone can read any file they can
make a hardlink to.
Having access to the directory entry is not the same as having access to
the inode. User/group/permission is on the inode NOT the
directory-entry.
--
Matthias
More information about the rsync
mailing list