Making DO_POSIX_CP configurable

[Ralf Friedl]

Hi Denys

Can you point to real security problems from the use of cp with POSIX 
semantics?

I know, the target of the copy operation could be a symbolic link to 
some other file that would be overwritten. This would require the 
attacker to have write permissions to the target directory and would 
require cp to be used without the -i option. Normally, only /tmp is 
world writable, and there is not much reason to copy files from 
elsewhere to /tmp.
As most systems come with a POSIX compatible cp program, I think it 
would be widely known if that was a serious security risk.

If you really think it is a security risk to write to the user specified 
file, that would also be the case for every other program that writes to 
a file.

Especially, by first unlinking the file, you break the following 
assumptions in contrast to POSIX Semantic:
- If the target file is a special file (block, character or pipe), the 
special file is replaced with a regular file.
- The owner and permissions of the target file are not preserved.
- properties like acl oder user_xattr of the target file are not preserved.
- hard links of the target file are not preserved.

Regards
Ralf Friedl