[Ace-users] [tao-users] Default file mode when creating (the "-o" IFR option in particular)

Jules Colding colding at 42tools.com
Thu Feb 28 08:59:17 CST 2008


Hi,

I'm using ACE and TAO x.6.2 to build Lorica(*) which is our IIOP  
Firewall project. It makes use of the IFR and will hand the "-o"  
option to it so that the IFR IOR gets written out to file.

Unfortunately this file is created with mode 666. This makes it  
possible for a malicious user to edit the IOR file and highjack future  
IFR sessions.

The file should obviously be created with mode 644. The attached patch  
naively fixes this but I think that we might need to look at how files  
are created throughout ACE and TAO to ensure that none are world  
writable.

BTW, the patch is very traditional C'ish, sorry about that...

Thoughts?


Best regards,
   jules


*) http://www.42tools.com/sites/default/files/downloads/dist/lorica/SOURCES/lorica-0.9.2.tar.gz


-------------- next part --------------
A non-text attachment was scrubbed...
Name: ifr_ior_file_mode.patch
Type: application/octet-stream
Size: 1338 bytes
Desc: not available
Url : http://list.isis.vanderbilt.edu/pipermail/ace-users/attachments/20080228/30b81643/attachment.obj 
-------------- next part --------------



More information about the Ace-users mailing list