Re: Bug#466542: RFS: task-spooler

To: debian-mentors@lists.debian.org, Alexander Inyukhin <shurick@sectorb.msk.ru>, 466542@bugs.debian.org
Subject: Re: Bug#466542: RFS: task-spooler
From: Lluís Batlle i Rossell <viriketo@gmail.com>
Date: Sat, 3 Sep 2011 13:12:34 +0200
Message-id: <[🔎] 20110903111233.GX1976@vicerveza.homeunix.net>
Mail-followup-to: debian-mentors@lists.debian.org, Alexander Inyukhin <shurick@sectorb.msk.ru>, 466542@bugs.debian.org
In-reply-to: <[🔎] 87r53y3pmo.fsf@deep-thought.43-1.org>
References: <[🔎] 20110901203907.GA30101@shurick.s2s.msu.ru> <[🔎] 87ippazc22.fsf@zancas.localnet> <[🔎] 87r53y3pmo.fsf@deep-thought.43-1.org>

On Sat, Sep 03, 2011 at 12:07:59PM +0200, Ansgar Burchardt wrote:
> David Bremner <bremner@unb.ca> writes:
> You can have a symlink to a socket somewhere else which can then have a
> random name.  In case the real socket is in a world-writable directory,
> you also need to check that it is still your socket and was not replaced
> later (for example an attacker could recreate the socket after /tmp was
> cleaned on reboot).  At least Chromium, Akonadi and KDE do this.

That's the approach I wanted to take, as this was the only threat I could
imagine. So, I'll simply check the ownership. I'll release a new version with
that. The patch should be simple.

Thank you,
Lluís.

Reply to:

References:
- RFS: task-spooler
  - From: Alexander Inyukhin <shurick@sectorb.msk.ru>
- Re: RFS: task-spooler
  - From: David Bremner <bremner@unb.ca>
- Re: RFS: task-spooler
  - From: Ansgar Burchardt <ansgar@debian.org>

Prev by Date: Re: RFS: python-visvis
Next by Date: Re: RFS: open-axiom
Previous by thread: Re: RFS: task-spooler
Next by thread: Bug#639995: epigrass does not start on GNOME
Index(es):
- Date
- Thread