Bug#811455: RFS: qhttpengine/0.1.0+dfsg1-1 [ITP]
* Nathan Osman <nathan@quickmediasolutions.com>, 2016-05-23, 20:37:
I worked around this problem by manually setting $HOME to /tmp in
debian/rules. Please let me know if there is anything wrong with this.
Yes, this is very wrong. /tmp is world-writable and therefore not
suitable for a home directory. In some cases setting HOME=/tmp could
allow a malicious local user to execute arbitrary code with the
privileges of the building user.
Please set HOME to a subdirectory of cwd, which can be safely assumed to
be writable only by the building user. $(CURDIR)/debian/tmp/tmp might be
a convenient choice.
--
Jakub Wilk
Reply to: