Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"TOCTOU" in instchown.c #263

Closed
schmonz opened this issue Feb 1, 2024 · 1 comment · Fixed by #266
Closed

"TOCTOU" in instchown.c #263

schmonz opened this issue Feb 1, 2024 · 1 comment · Fixed by #266
Labels
bug Something isn't working help wanted Extra attention is needed
Milestone
1.09

Comments

@schmonz
Copy link
Member

schmonz commented Feb 1, 2024

The Security tab shows a few TOCTOU in instchown.c. I vaguely recall having seen and discussed this before, but can't find it. Worth taking the analyzer's advice, or should we dismiss the alerts?
@schmonz schmonz added this to the 1.09 milestone Feb 1, 2024
@schmonz schmonz added bug Something isn't working help wanted Extra attention is needed labels Feb 2, 2024
@schmonz schmonz linked a pull request Feb 2, 2024 that will close this issue
instchown: operate on fds, not filenames. #266
Merged
@DerDakon
Copy link
Member

DerDakon commented Feb 3, 2024

No, this is totally pointless. These are files we just installed. And I can't find a check of existence at the place this is pointing to, it is just doing chown() and reports error And before it does chmod() and reports error..

@schmonz schmonz changed the title TOCTOU in instchown.c "TOCTOU" in instchown.c Feb 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Milestone
1.09
Development

Successfully merging a pull request may close this issue.

instchown: operate on fds, not filenames. notqmail/notqmail
2 participants
@schmonz @DerDakon