Re: Re: statement from one of the klik project members [was: The klik project and Debian]

To: debian-devel@lists.debian.org
Subject: Re: Re: statement from one of the klik project members [was: The klik project and Debian]
From: Cameron Patrick <cameron@patrick.wattle.id.au>
Date: Fri, 20 Jan 2006 13:20:26 +0800
Message-id: <[🔎] 20060120052026.GA3923@zeno.patrick.wattle.id.au>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 200601200056.26419.k1pfeifle@gmx.net>
References: <[🔎] 200601200056.26419.k1pfeifle@gmx.net>

Kurt Pfeifle wrote:

> > On Thu, Jan 19, 2006 at 08:34:59PM +0000, Kurt Pfeifle wrote:
> > > And third, klik doesn't really "install". It brings exactly 1 additional
> > > file (the *.cmg) onto the system. It works with "user only" privileges.
> >
> > Hang on. You loop-mount with user-only privileges? How?
> 
> The klik client installation needs root privileges once, to add 7 lines 
> like this one to /etc/fstab:
> 
>   /tmp/app/1/image /tmp/app/1 cramfs,iso9660 user,noauto,ro,loop,exec 0 0

Doesn't this introduce a local root exploit?  A user can easily write
their own /tmp/app/1/image file which contains, say, a setuid root bash
executable.

Cameron.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Re: statement from one of the klik project members [was: The klik project and Debian]
  - From: Wouter Verhelst <wouter@debian.org>

References:
- Re: Re: statement from one of the klik project members [was: The klik project and Debian]
  - From: Kurt Pfeifle <k1pfeifle@gmx.net>

Prev by Date: Re: Amendment to GR on GFDL, and the changes to the Social Contract
Next by Date: Re: when and why did python(-minimal) become essential?
Previous by thread: Re: Re: statement from one of the klik project members [was: The klik project and Debian]
Next by thread: Re: Re: statement from one of the klik project members [was: The klik project and Debian]
Index(es):
- Date
- Thread