Hi, since this procd commit from 2013 https://git.lede-project.org/?p=project/procd.git;a=blob;f=early.c;h=063e1a6abcc8ecdf22b9c8c11b2e81cc2460bcea;hb=be950c5e56b86509e1e237931d0ac8203372be82
/var/run (also /var/state and /var/lock) is world writable, with no sticky bit, which means unpriviledge process can delete root files (or many other attacks). Do you remember if there was a reason to make it 0777 ? I think before procd this was only handled by /etc/init.d/boot and it was 0755 On ubuntu 15.10 it's 0755 for /var/run and 1777 for /var/state and /var/lock see also FHS stating that /run (new /var/run) should not be world writable http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html#idm236092622080 Regards Etienne _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
