On 23.02.2010 12:50, Jakub Wilk wrote: > * Vedran Furač <vedran.fu...@gmail.com>, 2010-02-23, 11:39: >> It built fine for me. In fact, provided packages are from >> /var/cache/pbuilder/result. Could you please paste the pbuilder output log? >> >>>> - if your package doesn't contain any blatant security >>>> vulnerabilities (hint: symlink attack). >> >> Could you please tell me more about this? Only root should be able to >> run this program: > > That makes security issues more serious, isn't it? > > Just try this (better in a chroot or on a machine you don't want to use > any longer): > - as a normal user: ln -s /bin/sh /tmp/logkeys.pid.lock > - as root: logkeys -s
Huh, good catch, thanks. I didn't even notice it writes its pidfile to /tmp. Moved (source patched) to the place where only root can write (/var/run). Source package (re)uploaded. Regards, Vedran -- http://vedranf.net | a8e7a7783ca0d460fee090cc584adc12 -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4b8469c0.4030...@gmail.com
