At 11:12 AM 09/28/01 -0700, SRE wrote:
>>And params->index_read_only is set when called as swish-search.
>>But that's all it does.
>
>So the writing code is still linked in, but not called? And the
>switch is set based on the name by which the tool is invoked?
>That works for me, but probably not for my sysadmin. He wants
>a binary with no possible way to write files...

Can you get a new sysadmin? ;)  You mean the sysadmin allows people with
write access to run programs, but they want the programs to not allow write
access?  How does that provide any security?

% swish-search -i foo
Sorry, this program is in readonly mode

(Ok, fine, be that way!)
% rm -rf /

Removing all the fopen calls in write mode isn't going to protect against a
buffer overrun exploit, of course, or make up for poorly writen CGI scripts
that allow outside users unauthorized shell access.  Right?




Bill Moseley
mailto:moseley@hank.org