[Debian-med-packaging] Bug#689856: ensembl: misuse of "nobody" system user, potential unsafe use of /var/tmp
Ansgar Burchardt
ansgar at debian.org
Sun Oct 7 09:02:44 UTC 2012
Package: src:ensembl
Version: 63-1
Severity: important
ensembl uses the "nobody" system user for some directories (see
ensembl.postinst), but that user is not supposed to own any files:
Daemons that need not own any files sometimes run as user nobody and
group nogroup, although using a dedicated user is far preferable.
Thus, no files on a system should be owned by this user or group.
-- /usr/share/doc/base-passwd/users-and-groups.txt.gz
The use of /var/tmp/ensemle is also likely wrong. It's created in
postinst and might be removed at any later time (or somebody else might
have created a file or directory with this name).
Ansgar
More information about the Debian-med-packaging
mailing list