Bug#845385: Privilege escalation via removal
paul.szabo at sydney.edu.au
paul.szabo at sydney.edu.au
Wed Nov 23 00:46:28 UTC 2016
Dear Emmanuel,
> Do you think running something like "chmod -R 640 /etc/tomcat8" right
> before the chown is an appropriate solution to this issue?
Might protect against "static" things, but vulnerable to a race.
Your postrm script might want to kill all tomcat8 processes, also.
That might be a "good thing": deluser or delgroup might not "work"
with left-over, running processes; and might protect against a race.
But really... why do you care about leaving some "dangling" useless
object, owned by some long-gone UID or GID?
Cheers, Paul
Paul Szabo psz at maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
More information about the pkg-java-maintainers
mailing list