Re: RFS: logkeys

To: debian-mentors@lists.debian.org
Subject: Re: RFS: logkeys
From: Vedran Furač <vedran.furac@gmail.com>
Date: Wed, 24 Feb 2010 00:50:24 +0100
Message-id: <[🔎] 4B8469C0.4030702@gmail.com>
Reply-to: vedran.furac@gmail.com
In-reply-to: <[🔎] 20100223115008.GA4461@jwilk.net>
References: <[🔎] hlp7g7$cpi$1@ger.gmane.org> <[🔎] 20100220230345.GA7911@jwilk.net> <[🔎] 4B83B06C.3010901@gmail.com> <[🔎] 20100223115008.GA4461@jwilk.net>

On 23.02.2010 12:50, Jakub Wilk wrote:

> * Vedran Furač <vedran.furac@gmail.com>, 2010-02-23, 11:39:
>> It built fine for me. In fact, provided packages are from
>> /var/cache/pbuilder/result. Could you please paste the pbuilder output log?
>>
>>>> - if your package doesn't contain any blatant security
>>>> vulnerabilities (hint: symlink attack).
>>
>> Could you please tell me more about this? Only root should be able to
>> run this program:
> 
> That makes security issues more serious, isn't it?
> 
> Just try this (better in a chroot or on a machine you don't want to use 
> any longer):
> - as a normal user: ln -s /bin/sh /tmp/logkeys.pid.lock
> - as root: logkeys -s

Huh, good catch, thanks. I didn't even notice it writes its pidfile to
/tmp. Moved (source patched) to the place where only root can write
(/var/run). Source package (re)uploaded.

Regards,
Vedran


-- 
http://vedranf.net | a8e7a7783ca0d460fee090cc584adc12

Reply to:

References:
- RFS: logkeys
  - From: Vedran Furač <vedran.furac@gmail.com>
- Re: RFS: logkeys
  - From: Jakub Wilk <jwilk@debian.org>
- Re: RFS: logkeys
  - From: Vedran Furač <vedran.furac@gmail.com>
- Re: RFS: logkeys
  - From: Jakub Wilk <jwilk@debian.org>

Prev by Date: Re: RFS: logkeys
Next by Date: RFS: slang-slirp -- FTBFS fix, new uploader
Previous by thread: Re: RFS: logkeys
Next by thread: RFS: sitemesh
Index(es):
- Date
- Thread