[Android-tools-devel] Bug#823792: Bug#688280: policy issue not security
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Mar 2 00:45:57 UTC 2017
On Wed 2017-03-01 00:37:27 -0800, Hans-Christoph Steiner wrote:
> Yes, it still makes the log, but now at least with reasonable
> permissions, so its not a security issue any more but a Debian policy issue:
>
> $ ls -l /tmp/adb.1000.log
> -rw-r----- 1 1000 1000 179 Mar 1 08:31 /tmp/adb.1000.log
Why is this not a security issue? there are symlink/race conditions
here, which some modern kernels should defend against, but not all
kernels do. Please, let's get this fixed right.
> I suppose that path should be changed to /var/log/adb/
if the log is an ephemeral per-user log, it should be placed somewhere
like /run/user/$(id -u)/adb.log
--dkg
More information about the Android-tools-devel
mailing list