[Debian-med-packaging] Bug#825119: [anbe at debian.org: Re: Bug#825119: jmodeltest: creates world writable /var/log/jmodeltest]
Andreas Tille
andreas at an3as.eu
Wed May 25 06:19:38 UTC 2016
Hi Diego,
I received a bug report about the way I've choosen to enable logging for
jmodeltest. Since in the dist.dir is under /usr and you should be able
to mount /usr readonly you can not write logging files there. So I
decided to do the logging to /var/log/jmodeltest and did the mistake
to set permissions to 777 instead to 1777 (see below or the full bug
report[1]).
Before I might upload a fix I would like to know the role of these
logfiles, its intention and whether you might consider using mktemp to
safely create log names with unpredictable names.
Another solution would be to keep the logs in users homes in case the
log is for the single user anyway.
Kind regards
Andreas.
[1] https://bugs.debian.org/825119
----- Forwarded message from Andreas Beckmann <anbe at debian.org> -----
Date: Tue, 24 May 2016 18:19:04 +0200
From: Andreas Beckmann <anbe at debian.org>
To: Andreas Tille <tille at debian.org>, 825119 at bugs.debian.org
Subject: Re: Bug#825119: jmodeltest: creates world writable /var/log/jmodeltest
On 2016-05-24 17:10, Andreas Tille wrote:
> Hi Andreas,
>
> thanks for running these tests. Could you be please be more verbose in
> how far it is a problem if a program enables users to write logs on a
> collective place which is the intention of enabling users to write
> there?
>
> I confirm that its possible for other users to delete / change logs.
> Well, yes, that could happen but its not security relevant in my eyes.
> Any better suggestion is welcome.
Perhaps you want 1777?
Are the logfile names predictable? Created in a safe way?
eve $ ln -sf /home/bob/important.file /var/log/jmodeltest/bob.log
bob $ run_jmodeltest # overwrites /home/bob/important.file ?
Andreas
----- End forwarded message -----
--
http://fam-tille.de
More information about the Debian-med-packaging
mailing list