[Labs-l] [tools] New version of take
Petr Bena
benapetr at gmail.com
Sat Jun 22 16:07:01 UTC 2013
The issues:
no --verbose, --group, --help, --version, --recursive (it's recursive
everytime, which may not be what user wants)
no need to implement them, this version already has them and IMHO the
source code is more structured (it is also written in c ++ but it uses
classes and it's not in 1 file only)
the issues you just pointed out will be quickly resolved...
On Sat, Jun 22, 2013 at 5:50 PM, Marc A. Pelletier <marc at uberbox.org> wrote:
> On 06/22/2013 09:20 AM, Petr Bena wrote:
>> More secure
>
> If you want, I'll do a complete security review but even at first glance
> your version is much less secure: you are using path names without
> holding the directories open, you are not guaranteeing your checks are
> all on the same object(s), and you have no guards against substitution
> through a race condition.
>
> Any utility of the sort must:
>
> (a) take ownership of files whose owning groups your are in
> (b) only in directories you own
>
> Anything else is overbroad and open to abuse in a number of ways.
>
> I don't know what issues and requests related to take you refer to, but
> I'd rather address them with the current scheme. :-)
>
> -- Marc
>
>
> _______________________________________________
> Labs-l mailing list
> Labs-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/labs-l
More information about the Labs-l
mailing list