yamt@netbsd.org (YAMAMOTO Takashi) writes:
>> On Fri, Apr 04, 2014 at 02:36:05AM +0000, YAMAMOTO Takashi wrote:
>>> openvswitch has some tricks to overcome the socket path length
>>> limitation using symlink. (or procfs where available)
>>> iirc these were introduced for debian builds which use deep CWD.
>> That's another reasonable approach. Does it have a notable advantage over
>> placing the socket in a subdirectory of /tmp? Offhand, the security and
>> compatibility consequences look similar.
> an advantage is that the socket can be placed under CWD
> and thus automatically obeys its directory permissions etc.
I'm confused. The proposed alternative is to make a symlink in /tmp
or someplace like that, pointing to a socket that might be deeply buried?
How is that any better from a security standpoint from putting the socket
right in /tmp? If /tmp is not sticky then an attacker can replace the
symlink, no?
regards, tom lane
