[Ace-users] [tao-users] Default file mode when creating (the "-o" IFR option in particular)
Jules Colding
colding at 42tools.com
Thu Feb 28 08:59:17 CST 2008
Hi,
I'm using ACE and TAO x.6.2 to build Lorica(*) which is our IIOP
Firewall project. It makes use of the IFR and will hand the "-o"
option to it so that the IFR IOR gets written out to file.
Unfortunately this file is created with mode 666. This makes it
possible for a malicious user to edit the IOR file and highjack future
IFR sessions.
The file should obviously be created with mode 644. The attached patch
naively fixes this but I think that we might need to look at how files
are created throughout ACE and TAO to ensure that none are world
writable.
BTW, the patch is very traditional C'ish, sorry about that...
Thoughts?
Best regards,
jules
*) http://www.42tools.com/sites/default/files/downloads/dist/lorica/SOURCES/lorica-0.9.2.tar.gz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ifr_ior_file_mode.patch
Type: application/octet-stream
Size: 1338 bytes
Desc: not available
Url : http://list.isis.vanderbilt.edu/pipermail/ace-users/attachments/20080228/30b81643/attachment.obj
-------------- next part --------------
More information about the Ace-users
mailing list