You should create a temporary name or check and see where the symlink follows before executing/removing it. So if it does not point for the right direction, you just exit with an error.
Ido On Fri, Aug 29, 2008 at 5:53 PM, Vincent Snijders <[EMAIL PROTECTED]> wrote: > Joost van der Sluis schreef: >> Hi all, >> >> As the packager of Lazarus in Fedora, I get notifications if someone >> files a bug in Fedora's bug-tracker. >> >> Now someone added a bug-report with a security issue: >> https://bugzilla.redhat.com/show_bug.cgi?id=460642 >> >> And indeed, if someone add a symlink like 'ln -s /tmp/fpc_patchdir /etc' >> and thereafter someone with root-permissions runs the >> check_fpc_dependencies.sh script with th following code in it he won't >> be happy: >> >> 89 TmpDir=/tmp/fpc_patchdir >> 90 if [ "$WithTempDir" = "yes" ]; then >> 91 if [ -d $TmpDir ]; then >> 92 rm -rf $TmpDir/* >> 93 rm -r $TmpDir >> 94 fi >> > > Somebody reported the same (or similar) issues in the debian bug tracker. > > Maybe the best solution is not to package these scripts in rpm/debs, so > that they don't enter the dangerous wild where people are running > scripts with root permissions and add symlinks in the tmp directory. > > Vincent > _______________________________________________ > Lazarus mailing list > Lazarus@lazarus.freepascal.org > http://www.lazarus.freepascal.org/mailman/listinfo/lazarus > -- http://ik.homelinux.org/ _______________________________________________ Lazarus mailing list Lazarus@lazarus.freepascal.org http://www.lazarus.freepascal.org/mailman/listinfo/lazarus