[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#841196: ITP: node-os-homedir -- Node.js 4 `os.homedir()` ponyfill

* Lars Wirzenius <liw@liw.fi>, 2016-10-18, 17:57:
	if (process.platform === 'linux') {
		return home || (process.getuid() === 0 ? '/root' : (user ? '/home/' + user : null));

Things are more complicated than that. What exactly is this code meant to be used for?

This is so wrong, I would like to ask that this package not be allowed into Debian until it's fixed.

The WTFness of this code is certainly way above what we're normally used to, but (AIUI) it's only used as a fallback for nodejs < 4. Debian currently has 4.6.0.

If you assume /root is root's home directory, and it's actually someone else's directory, and you trust /root/.ssh/authorized_keys is root's authorized ssh keys, you're going to have a bad time.

Er, no. Making /root writable to another user is almost as clever as making /bin or /etc writable to others. A sysadmin who does that must be prepared to suffer consequences.

Jakub Wilk

Reply to: