* Michael Gilbert <mgilb...@debian.org>, 2012-10-08, 14:15:
"Packages must not include files or directories under /run, or under the older /var/run and /var/lock paths."
The thing is that it really does no harm if a package actually does this

Given that /var/lock is world-writable in Debian, and that dpkg follows symlinks to directories, at least shipping directories in /var/lock is almost certainly a security hole. (Fortunately, this is mitigated by the protected_symlinks feature of the recent kernels.)

--
Jakub Wilk


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20121008182724.ga2...@jwilk.net

Reply via email to