On Sat, Sep 30, 2006 at 08:19:22PM +0200, Ralf Stubner wrote: > On Sat, Sep 30, 2006 at 18:12 +0100, Thiemo Seufer wrote: > > Frank Küster wrote: > > > Thiemo Seufer <[EMAIL PROTECTED]> wrote:
> > > > So, if I understand that correctly, the bug was fixed by running mktexmf > > > > as non-root, and the change of the cache location is only a collateral. > > > No, or I do not understand what you mean. > > I meant the the earlier security bug you mentioned. To me, the solution > > for the earlier bug as well as the current one looks like keeping the > > font cache in /var but maintaining it via a mktexmf user. > The problem is that mktexmf is a shell script (=no suid possible) Where does the input for the cache come from? If the input is always from a privileged location (i.e., /usr/share, /usr/lib, /etc), then it's possible -- and, I think, vastly preferable -- to have an suid wrapper for mktexmf to manage /var/cache. If the font input comes from user-specified, non-privileged locations, then this can't ever be safely written to a shared location. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
