Bug#496360: Not a bug for us
reopen 496360
severity 496360 important
kthxbye
On Mon, Aug 25, 2008 at 11:21:24 +0200, Romain Beauxis wrote:
> Hi !
>
> Indeed, liguidsoap uses files under /tmp to write logs and dump audio data
> during the live show.
>
> We don't consider this as a bug, but as feature (tm).
This is broken.
> Furthermore, this is known to the user, the name is predictible --
> "/tmp/liguidsoap.log" -- and run manually by the user, with no root
> rights.
>
That makes symlink attacks against root impossible, but it still allows
an attacker to overwrite any file owned by the user running liguidsoap.
Please move the files out of /tmp.
Cheers,
Julien
Reply to: