On Tue, May 4, 2010 at 9:43 AM, Joey Hess wrote:
>
> /var/run/prosody/prosody.pid is in a directory writable by the prosody
> user, as well as itself being writable by that user. Suppose this
> user is compromised. If the pid is overwritten with a different process
> id, such as 1, /etc/init.d/pro
Excerpts from Joey Hess's message of Tue May 04 06:43:01 +0100 2010:
>
> Note that beyond the possibility this could be used as a security
> hole, things go wrong, pid files end up with stale data in them.
> Blindling killing w/o checking is asking for trouble.
>
Valid points. Perhaps a solutio
Package: prosody
Version: 0.6.2-1
Severity: normal
Tags: security
/var/run/prosody/prosody.pid is in a directory writable by the prosody
user, as well as itself being writable by that user. Suppose this
user is compromised. If the pid is overwritten with a different process
id, such as 1, /etc/ini
3 matches
Mail list logo
