Hi Diego,
I received a bug report about the way I've choosen to enable logging for
jmodeltest. Since in the dist.dir is under /usr and you should be able
to mount /usr readonly you can not write logging files there. So I
decided to do the logging to /var/log/jmodeltest and did the mistake
to set permissions to 777 instead to 1777 (see below or the full bug
report[1]).
Before I might upload a fix I would like to know the role of these
logfiles, its intention and whether you might consider using mktemp to
safely create log names with unpredictable names.
Another solution would be to keep the logs in users homes in case the
log is for the single user anyway.
Kind regards
Andreas.
[1] https://bugs.debian.org/825119
----- Forwarded message from Andreas Beckmann <a...@debian.org> -----
Date: Tue, 24 May 2016 18:19:04 +0200
From: Andreas Beckmann <a...@debian.org>
To: Andreas Tille <ti...@debian.org>, 825...@bugs.debian.org
Subject: Re: Bug#825119: jmodeltest: creates world writable /var/log/jmodeltest
On 2016-05-24 17:10, Andreas Tille wrote:
> Hi Andreas,
>
> thanks for running these tests. Could you be please be more verbose in
> how far it is a problem if a program enables users to write logs on a
> collective place which is the intention of enabling users to write
> there?
>
> I confirm that its possible for other users to delete / change logs.
> Well, yes, that could happen but its not security relevant in my eyes.
> Any better suggestion is welcome.
Perhaps you want 1777?
Are the logfile names predictable? Created in a safe way?
eve $ ln -sf /home/bob/important.file /var/log/jmodeltest/bob.log
bob $ run_jmodeltest # overwrites /home/bob/important.file ?
Andreas
----- End forwarded message -----
--
http://fam-tille.de
