* Torsten Werner <[EMAIL PROTECTED]> [2008-04-13 11:04:44 CEST]: > On Sun, Apr 13, 2008 at 12:25 AM, Bas Zoetekouw <[EMAIL PROTECTED]> wrote: > > Please reread Policy. Files in /usr cannot change during normal > > system operation. Writing to files in /usr/share is an FHS violation, > > and thus a serious bug. > > I have quoted the policy earlier in the bug report but you have not. > That is why I do not think you are correct.
That's a really interesting approach, but it doesn't keep you from being wrong. Please read "Chapter 2. The Filesystem" of the FHS with respect to "Static" data: ,-----------------------------> quote FHS <----------------------------- | "Static" files include binaries, libraries, documentation files and | other files that do not change without system administrator | intervention. "Variable" files are files that are not static. `-----------------------------> quote FHS <----------------------------- /usr is clearly labelled as static in the table further down that chapter. > Do not forget that we have released sarge and etch with exactly the > same directory structure in otrs. Downgrading the severity of the bug > is acceptable IMHO. That's an extremely weak reasoning. Just because the problem wasn't raised before doesn't make it a non-serious FHS violation. > > It is a security bug IMO. It allows for an attack vector from anything > > running as www-data (ie, all cgi and php scripts on your system, > > including those that users might install or write themselves) to execute > > random script as the user the cron job runs as. > > What is the difference to similar users like postgres (as an example)? > It allows anything running as postgres to change files belonging to > the postgres* packages. But the www-data user is special because it's a remote user and doesn't require local access to the user. So long. :) Rhonda -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]