[Debian-med-packaging] Bug#825119: jmodeltest: creates world writable /var/log/jmodeltest
Andreas Beckmann
anbe at debian.org
Tue May 24 16:19:04 UTC 2016
On 2016-05-24 17:10, Andreas Tille wrote:
> Hi Andreas,
>
> thanks for running these tests. Could you be please be more verbose in
> how far it is a problem if a program enables users to write logs on a
> collective place which is the intention of enabling users to write
> there?
>
> I confirm that its possible for other users to delete / change logs.
> Well, yes, that could happen but its not security relevant in my eyes.
> Any better suggestion is welcome.
Perhaps you want 1777?
Are the logfile names predictable? Created in a safe way?
eve $ ln -sf /home/bob/important.file /var/log/jmodeltest/bob.log
bob $ run_jmodeltest # overwrites /home/bob/important.file ?
Andreas
More information about the Debian-med-packaging
mailing list