Matthias Gerstner changed bug 1170161
What Removed Added
Status IN_PROGRESS RESOLVED
Resolution --- FIXED

Comment # 4 on bug 1170161 from 
As I said before this logic looks still a bit shaky. The `_mkdir()` function
still performs a `chown()`, where a `lchown()` would be more on the safe side.

Theoretically, if another mount manager creates user owned /media/$USER
directories, then the symlink attack would still basically work at least one
time. A user could then place /media/$USER/link -> /etc. enlightenment_system
would perform:

mkdir /media; chown 0:0 /media
mkdir /media/$USER; chown 0:0 /media/$USER
mkdir /media/$USER/link; chown 0:0 /media/$USER/link

Since the chown is now towards 0:0 the attack isn't that useful any more.

But a mount over a symlink could still cause trouble.

You are receiving this mail because: