On Wed, Mar 20, 2013 at 12:48:06PM -0400, Jeff King wrote:
> Kind of gross, but I guess it is useful to some people.
Yes it is. The questions is if it's gross enough to never
leave my computer, or if someone else can find this useful.
>
> > +__git_recursive_stat ()
> > +{
> > + if test ! -e /tmp/gitbash.lock
> > + then
> > + touch /tmp/gitbash.lock
>
> This is a tmp-race security hole. E.g., do:
>
> ln -s /etc/nologin /tmp/gitbash.lock
>
> as a user; when root runs __git_recursive_stat, it will create
> /etc/nologin. It's not quite as bad as some other holes, because we only
> "touch" the file, not overwrite its contents, but you can see that it's
> possible to do some mischief.
>
> Should this maybe just be ~/.gitbash.lock or something?
Thank you! I totally missed that.
I guess a new solution would be to keep an access time-stamp in each
repository and with certain intervall run git status on that repository.
--
Med vänliga hälsningar
Fredrik Gustafsson
tel: 0733-608274
e-post: iveqy@xxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html