Bug 24007
Summary: | absolute symbolic link in RH install tree | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Steve Holland <sh1> |
Component: | anaconda | Assignee: | Matt Wilson <msw> |
Status: | CLOSED RAWHIDE | QA Contact: | Brock Organ <borgan> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | Keywords: | Security |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2001-02-20 00:00:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Steve Holland
2001-01-14 22:27:18 UTC
Assigning to a developer. this is not a security risk. the symlinks to point to /tmp are actually pointing to /tmp on the initial ramdisk during installation. The symlinks do point to /tmp during the installation... That is not the bug. The problem is that when the tree is posted to a web server, the symlinks point to the /tmp directory of that server. This violates the security of the server unless other measures are taken (e.g. FollowSymLinks is disabled) One solution would be to change the instimage to an actual ISO image, then mount with loopback during installation. Another would be to change the programs on the instimage so they don't require access to /tmp or have /tmp hardcoded in or read /tmp from a config file. The next version of Red Hat Linux will have no symlinks in the install trees that one would put on a web or ftp server. |