On Tue, May 24, 2016 at 06:19:04PM +0200, Andreas Beckmann wrote: > On 2016-05-24 17:10, Andreas Tille wrote: > > Hi Andreas, > > > > thanks for running these tests. Could you be please be more verbose in > > how far it is a problem if a program enables users to write logs on a > > collective place which is the intention of enabling users to write > > there? > > > > I confirm that its possible for other users to delete / change logs. > > Well, yes, that could happen but its not security relevant in my eyes. > > Any better suggestion is welcome. > > Perhaps you want 1777?
Would you consider this a fix for the bug? > Are the logfile names predictable? Created in a safe way? The names are perfectly predictable. > eve $ ln -sf /home/bob/important.file /var/log/jmodeltest/bob.log > bob $ run_jmodeltest # overwrites /home/bob/important.file ? I confirm this would be possible currently. Thanks for taking care about issues like this. Kind regards Andreas. -- http://fam-tille.de