So long as the server does absolutely no special processing for symlinks, they will grant no access that isn't already granted. In the/etc/passwd example, if you wisely don't export (share)/etc/passwd, exporting a symlink to it will not make it accessab le to a client. The client will just perform 2 transactions ending in permission denied rather than one. More likely, the client will read the symlink and the access it's own local copy of/etc/passwd locally (which is normally permitted).
How could this be? If the server does no special processing for a symlink, then its actions on getting a request for that file would be 1: open() it, 2: read() it, 3: send it down the wire. The behaviour of open() on a symlink is to open the file pointed to by the symlink!
Not really. The point is, for a file server the permissions for sharing a file may be different to the permissions for a local user.
For example, on Unix machines the password file/etc/passwd is world readable (although on modern machines it doesn't actually contain passwords anymore). But usually you would not want to export/etc/passwd (eg it would let attacker know all of the login names which would help a lot in a dictionary attack on the passwords). But if the file sharing protocol doesn't know about symlinks, then a user would be able to put a symlink to/etc/passwd in a shared folder and make the passwd file remotely readable.
This gets even more complex if/restricted/files/thisone is itself an exported file from some other (secured) host. In that case, the correct way to assess permissions for random user to access/home/user/symlink is whether the secure host would allow access from the clients machine. Otherwise you have the effect of a tunnel from the secure host to the outside world...
int symlink(const char *oldpath, const char *newpath);
DESCRIPTION symlink creates a symbolic link named newpath which contains the string oldpath.
Symbolic links are interpreted at run-time as if the contents of the link had been substi- tuted into the path being followed to find a file or directory.
Symbolic links may contain.. path components, which (if used at the start of the link) refer to the parent directories of that in which the link resides.
A symbolic link (also known as a soft link) may point to an existing file or to a nonexis- tent one; the latter case is known as a dangling link.
NAME link - make a new name for a file
SYNOPSIS #include <unistd.h>
int link(const char *oldpath, const char *newpath);
DESCRIPTION link creates a new link (also known as a hard link) to an existing file.
If newpath exists it will not be overwritten.
This new name may be used exactly as the old one for any operation; both names refer to the same file (and so have the same permissions and ownership) and it is impossible to tell which name was the `original'.
Re:NTFS already does it since Win2K !
on
Vista To Get Symlinks?
·
· Score: 2, Informative
Hard links are different to soft links (symlinks). Hard links are two (or more) files that refer to exactly the same physical storage; rather than one file being a link to the other file, both links are precisely equivalent. This is completely transparent - multiply-linked files are indistinguishable from singly-linked files.
Soft links are represented as a special text file that contains the name of the linked file. The default behavior on opening a soft link is to redirect and open the target file instead. Alternatively, you can use readlink() to get the contents of the soft link directly.
Presumably the security problem has something to do with symlinks that point to a file that the client does not have permission to read. If the server handles symlinks in a naive way, then on a request to open() a symlink it would open the target file (which is the usual behaviour of opening a symlink), but potentially with the wrong permissions.
If the server did no special behaviour for symlinks then they would appear to the client as a duplicate of the symlink target, an ordinary file.
Whoa, I get modded 0, Troll for asking a legitimate question? Hands up all readers who immediately knew vim had an association with that Ugandan charity - the posted link had no mention of vim in it!
Its just an outgrowth of one of the many front companies the CIA uses to manage its finances. Is the whole thing dodgy? Of course, but it fits with the way the CIA has operated for a long time.
Re:I just want to say thanks.
on
Vim 6.4 Released
·
· Score: 0, Troll
Well, the thing about basic research, and indeed, education in general, is that the effects are not seen for many years later, and it is very hard to make causal relationships between events like a Nobel prize or new discovery, with something like a funding bonus that happened years earlier. But I don't like the reasoning you seem to be heading towards: "last time we increased education funding we didn't see any measurable results, so lets not bother trying anymore."
Wow, the first two paragraphs really are very good - the beginnings of a great troll! (and I mean that in the nicest possible way.) But the third paragraph really blew it - way too obvious:-(
That is a completely different situation. In fact you have one primary window, and the remainder are there only in the background, to be checked if you notice some movement in your preiphial vision, or you get curious as to which song is coming up next.
An analagous situation involving a TV would be:
You are watching a movie on the TV (1)
You have a phone nearby, so you will hear it if someone rings (2)
The radio is playing softly in the background, so you can hear for the next news broadcast (3)
Occasionally you glance out the window to see if the mail has come (4)
Now, trying to read a book and watch TV is distracting enough (and I would argue, impossible to do both properly at the same time), but even watching 2 TV's, unless it was something trivial, like two different angles of the same sporting match or something like that, is surely futile?
Reminds me of the day when military applications really were a cause for (possibly comic) revulsion. Nowdays if you responded in such a fashion to the military you would be branded a terrorist. sigh.
The DMCA prohibits trafficing in a circumvention device that controls access to a copyrighted work. Presumably if Sony are the copyright holders then they are not at fault if they themselves traffic in circumvention devices.
However if anyone other than sony owns the copyright on even a single work that is protected by the same DRM scheme, then Sony are violating the DMCA.
This is the same argument that gives infinitely long copyright protection: even after the copyright has expired, if there exists any other copyrighted work using the same encryption scheme (a photo of the CEO's dog, for example), trafficing in a circumvention device is still illegal even if it was only for the purpose of viewing works already in the public domain.
That is completely wrong. Perhaps you are thinking of the Fields Medal in mathematics? That is sometimes described as the 'mathematics equivalent of the Nobel prize', but the selection criteria is quite different; it recognizes both existsing work and future potential, and you have to be aged 40 or under to receive it.
The Nobel prize, on the other hand, is awarded purely for groundbreaking research, usually on the basis of a single seminal piece of research but sometimes something more like a 'lifetime acheivement' award. In almost all cases, it is awarded long after the original research, when the impact can be properly judged in the historical context. For many Nobel lauriates, the work they received the prize for was an exception in an otherwise ordinary career. And in some cases, (the physics prize for the 3K microwave cosmic background comes to mind) the recipents were not actually scientists, but just stumbled upon the discovery by accident.
But realistically, if you wanted to program in C, being required to use a C++ compiler isn't much of a problem. Using C plus selected parts of C++ (especially parts of the standard library) is probably a useful 'language' by itself in fact.
The very sad thing is, the mistakes were introduced because someone mistakenly thought they actually knew the English language, and edited the original article.
An international team of astronomers [1] used two of the most powerful astronomical facilities available, the ESO Very Large Telescope (VLT) at Cerro Paranal and the Hubble Space Telescope (HST), to conduct a detailed study of 20 low redshift quasars. For 19 of them, they found, as expected, that these super massive black holes are surrounded by a host galaxy. But when they studied the bright quasar HE0450-2958, located some 5 billion light-years away, they couldn't find evidence for an encircling galaxy. This, the astronomers suggest, may indicate a rare case of collision between a seemingly normal spiral galaxy and a much more exotic object harbouring a very massive black hole.
Yes. AFAICT, the CNN article does not once refer to the ozone hole over Antarctica, but merely says that in some parts of the atmosphere the ozone is increasing, but in most parts it is still low. A very biased article, but I dont think any of their statements are actually incorrect.
Slashdot Mirror
How could this be? If the server does no special processing for a symlink, then its actions on getting a request for that file would be 1: open() it, 2: read() it, 3: send it down the wire. The behaviour of open() on a symlink is to open the file pointed to by the symlink!
For example, on Unix machines the password file /etc/passwd is world readable (although on modern machines it doesn't actually contain passwords anymore). But usually you would not want to export /etc/passwd (eg it would let attacker know all of the login names which would help a lot in a dictionary attack on the passwords). But if the file sharing protocol doesn't know about symlinks, then a user would be able to put a symlink to /etc/passwd in a shared folder and make the passwd file remotely readable.
This gets even more complex if /restricted/files/thisone is itself an exported file from some other (secured) host. In that case, the correct way to assess permissions for random user to access /home/user/symlink is whether the secure host would allow access from the clients machine. Otherwise you have the effect of a tunnel from the secure host to the outside world...
Soft links are represented as a special text file that contains the name of the linked file. The default behavior on opening a soft link is to redirect and open the target file instead. Alternatively, you can use readlink() to get the contents of the soft link directly.
Unix has had both kinds of link for aeons.
If the server did no special behaviour for symlinks then they would appear to the client as a duplicate of the symlink target, an ordinary file.
Whoa, I get modded 0, Troll for asking a legitimate question? Hands up all readers who immediately knew vim had an association with that Ugandan charity - the posted link had no mention of vim in it!
Its just an outgrowth of one of the many front companies the CIA uses to manage its finances. Is the whole thing dodgy? Of course, but it fits with the way the CIA has operated for a long time.
Umm, what does that site have to do with vim ?
Hah! Sorry, but it is attitudes like yours that have brought about this mess.
This is probably the most insightful comment in this whole discussion!
Well, if the USA created xxx.us, no other countries would have a right to object.
http://www.root-servers.org/
Well, the thing about basic research, and indeed, education in general, is that the effects are not seen for many years later, and it is very hard to make causal relationships between events like a Nobel prize or new discovery, with something like a funding bonus that happened years earlier. But I don't like the reasoning you seem to be heading towards: "last time we increased education funding we didn't see any measurable results, so lets not bother trying anymore."
Wow, the first two paragraphs really are very good - the beginnings of a great troll! (and I mean that in the nicest possible way.) But the third paragraph really blew it - way too obvious :-(
An analagous situation involving a TV would be:
You are watching a movie on the TV (1)
You have a phone nearby, so you will hear it if someone rings (2)
The radio is playing softly in the background, so you can hear for the next news broadcast (3)
Occasionally you glance out the window to see if the mail has come (4)
Now, trying to read a book and watch TV is distracting enough (and I would argue, impossible to do both properly at the same time), but even watching 2 TV's, unless it was something trivial, like two different angles of the same sporting match or something like that, is surely futile?
Interesting question ... does destroying an incoming torpedo actually result in a net saving of human lives?
Wow, these firearm threads really bring out the nicest people!
Based on the headline, was anyone else expecting this to be another story about Kansas?
Reminds me of the day when military applications really were a cause for (possibly comic) revulsion. Nowdays if you responded in such a fashion to the military you would be branded a terrorist. sigh.
However if anyone other than sony owns the copyright on even a single work that is protected by the same DRM scheme, then Sony are violating the DMCA.
This is the same argument that gives infinitely long copyright protection: even after the copyright has expired, if there exists any other copyrighted work using the same encryption scheme (a photo of the CEO's dog, for example), trafficing in a circumvention device is still illegal even if it was only for the purpose of viewing works already in the public domain.
The Nobel prize, on the other hand, is awarded purely for groundbreaking research, usually on the basis of a single seminal piece of research but sometimes something more like a 'lifetime acheivement' award. In almost all cases, it is awarded long after the original research, when the impact can be properly judged in the historical context. For many Nobel lauriates, the work they received the prize for was an exception in an otherwise ordinary career. And in some cases, (the physics prize for the 3K microwave cosmic background comes to mind) the recipents were not actually scientists, but just stumbled upon the discovery by accident.
Hmm, I find it hard to see a finding of "you have no right to do that" as a 'technicality' ...
But realistically, if you wanted to program in C, being required to use a C++ compiler isn't much of a problem. Using C plus selected parts of C++ (especially parts of the standard library) is probably a useful 'language' by itself in fact.
An international team of astronomers [1] used two of the most powerful astronomical facilities available, the ESO Very Large Telescope (VLT) at Cerro Paranal and the Hubble Space Telescope (HST), to conduct a detailed study of 20 low redshift quasars. For 19 of them, they found, as expected, that these super massive black holes are surrounded by a host galaxy. But when they studied the bright quasar HE0450-2958, located some 5 billion light-years away, they couldn't find evidence for an encircling galaxy. This, the astronomers suggest, may indicate a rare case of collision between a seemingly normal spiral galaxy and a much more exotic object harbouring a very massive black hole.
Yes. AFAICT, the CNN article does not once refer to the ozone hole over Antarctica, but merely says that in some parts of the atmosphere the ozone is increasing, but in most parts it is still low. A very biased article, but I dont think any of their statements are actually incorrect.