[Debian-med-packaging] Bug#825119: jmodeltest: creates world writable /var/log/jmodeltest
Andreas Tille
tille at debian.org
Tue May 24 19:32:57 UTC 2016
On Tue, May 24, 2016 at 06:19:04PM +0200, Andreas Beckmann wrote:
> On 2016-05-24 17:10, Andreas Tille wrote:
> > Hi Andreas,
> >
> > thanks for running these tests. Could you be please be more verbose in
> > how far it is a problem if a program enables users to write logs on a
> > collective place which is the intention of enabling users to write
> > there?
> >
> > I confirm that its possible for other users to delete / change logs.
> > Well, yes, that could happen but its not security relevant in my eyes.
> > Any better suggestion is welcome.
>
> Perhaps you want 1777?
Would you consider this a fix for the bug?
> Are the logfile names predictable? Created in a safe way?
The names are perfectly predictable.
> eve $ ln -sf /home/bob/important.file /var/log/jmodeltest/bob.log
> bob $ run_jmodeltest # overwrites /home/bob/important.file ?
I confirm this would be possible currently.
Thanks for taking care about issues like this.
Kind regards
Andreas.
--
http://fam-tille.de
More information about the Debian-med-packaging
mailing list