Re: Bug#496429: The possibility of attack with the help of symlinks in some Debian packages
Steve Langasek <firstname.lastname@example.org> writes:
> The example *is* wrong - the example given is never safe to run, because
> the only way to verify beforehand that /tmp/zenity is not a symlink to
> something more important is by first explicitly *creating* your file
> funder /tmp (non-destructively), then check that it's not a symlink, and
> *then* run pilot-qof.
I dunno, I'd feel quite comfortable running that command on my personal
laptop, which has no other users and no remote login access. /tmp file
vulnerabilities are only vulnerabilities on multiuser systems. We don't
know for *packages* whether they'll be installed on multiuser systems, so
of course we have to fix them regardless, but in examples I think it's
often reasonable to be sloppier.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>