On Mon, Feb 25, 2002 at 12:55:01PM +1000, Anthony Towns wrote: > On Sun, Feb 24, 2002 at 05:38:25PM +0100, Carel Fellinger wrote: > > Are you sure all package names are sane? Or could some joker distribute a > > (non official ofcourse) python package with a name just waiting to exploit > > this unsanitized use of its name in a script running as root? > > Huh? Aren't these things only called after the package is installed (or while > it's installing)? In which case, the joker's non-official python package has > already had it's postinst run as root, and the joker already has complete > control of your machine.
Yeah, that thought occured to me after posting my "fixes". Still... shell-script security advice to avoid standard risks is always worth getting :-) -- ---------------------------------------------------------------------- ABO: finger [EMAIL PROTECTED] for more info, including pgp key ----------------------------------------------------------------------
