tag 475737 + security thanks Hi Torsten!
You wrote: > On Sat, Apr 12, 2008 at 8:36 PM, Bastian Blank <[EMAIL PROTECTED]> wrote: > > Sure it is correct. It allows wwwdata to write scripts which are > > executed by a different user. Also files in /usr and not in /usr/local > > are not supposed to be modified outside of dpkg. > > I do not think that security improves when I move the files from > /usr/share to /var/something. I have shown you that there is no real > policy violation (just a violation of a recommendation). Please reread Policy. Files in /usr cannot change during normal system operation. Writing to files in /usr/share is an FHS violation, and thus a serious bug. > 'It allows wwwdata to write scripts which are executed by a different > user.' - that is not a security problem at all IMHO. At least you did > not explain the security problem here. It is a security bug IMO. It allows for an attack vector from anything running as www-data (ie, all cgi and php scripts on your system, including those that users might install or write themselves) to execute random script as the user the cron job runs as. -- Kind regards, Bas Zoetekouw. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
