Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
RE: Avoiding overwriting a symlinked target
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Bill Mercer via curl-users <curl-users_at_lists.haxx.se>
Date: Sat, 1 Jan 2022 18:10:33 +0000
> A utility comprising a single executable could normally be installed in most Unix-
> like cases by downloading it to /usr/local/bin (via eg, sudo curl ... -o
> /usr/local/bin/utility) and setting executable permission.
>
> A user following instructions like this [1] had the problem that the destination
> file already existed as a symbolic link to firejail. As a result the instructions
> caused the firejail binary to be clobbered and all the user's supposedly firejailed
> programs were apparently replaced by the downloaded utility, until firejail was
> re-installed.
> Although this is an unusual case, the consequences were quite severe. It would
> be desirable to be able to give equally simple instructions that couldn't have that
> effect, regardless of what else the installation might have achieved.
My opinion is that this isn't really a problem for curl developers to solve. This is a problem with the software and instructions being followed. The same problem would have happened if the user used any other method to copy the file to that location. Even if this option were added to curl, it wouldn't prevent the problem from happening again, because the original instructions would have to be updated to tell people to use that option, and this would have to be done everywhere those instructions are reproduced.
Date: Sat, 1 Jan 2022 18:10:33 +0000
> A utility comprising a single executable could normally be installed in most Unix-
> like cases by downloading it to /usr/local/bin (via eg, sudo curl ... -o
> /usr/local/bin/utility) and setting executable permission.
>
> A user following instructions like this [1] had the problem that the destination
> file already existed as a symbolic link to firejail. As a result the instructions
> caused the firejail binary to be clobbered and all the user's supposedly firejailed
> programs were apparently replaced by the downloaded utility, until firejail was
> re-installed.
> Although this is an unusual case, the consequences were quite severe. It would
> be desirable to be able to give equally simple instructions that couldn't have that
> effect, regardless of what else the installation might have achieved.
My opinion is that this isn't really a problem for curl developers to solve. This is a problem with the software and instructions being followed. The same problem would have happened if the user used any other method to copy the file to that location. Even if this option were added to curl, it wouldn't prevent the problem from happening again, because the original instructions would have to be updated to tell people to use that option, and this would have to be done everywhere those instructions are reproduced.
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-01-01