[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: statement from one of the klik project members [was: The klik project and Debian]

Kurt Pfeifle wrote:

> > On Thu, Jan 19, 2006 at 08:34:59PM +0000, Kurt Pfeifle wrote:
> > > And third, klik doesn't really "install". It brings exactly 1 additional
> > > file (the *.cmg) onto the system. It works with "user only" privileges.
> >
> > Hang on. You loop-mount with user-only privileges? How?
> The klik client installation needs root privileges once, to add 7 lines 
> like this one to /etc/fstab:
>   /tmp/app/1/image /tmp/app/1 cramfs,iso9660 user,noauto,ro,loop,exec 0 0

Doesn't this introduce a local root exploit?  A user can easily write
their own /tmp/app/1/image file which contains, say, a setuid root bash


Attachment: signature.asc
Description: Digital signature

Reply to: