On Sun, 2008-10-05 at 00:56 +0200, Michael Biebl wrote: > Hi Victor, > > thanks for the nice release. > > 2008/10/4 Victor Lowther <[EMAIL PROTECTED]>: > > 1.2.1 Release Announcement > > * pm-utils has support for saving quirks as a HAL FDI file. If > > called with --store-quirks-as-fdi, an .fdi file specific to the > > machine and quirks passed on the command line will be written > > to /tmp/pm-utils-created.fdi. > > This sounds dangerous, looks like insecure tmp file usage. > A malicious attacker could create a symlink and this way trick you > overwriting important files.
True, but as a malicious attacker why go to the effort of creating a tmp symlink and then getting someone with root permissions to test suspending and resuming their machine to overwrite their /etc/passwd with xml? Just crack root using your favourite local exploit and do it without social engineering, or fork bomb them to death. Not that it won't be fixed in the next release. :) > I see three posibilities: > 1.) Use mktemp to create a random name (and tell the user the name). > 2.) Store the file in /etc/hal/fdi, isn't it indented for that anyway? > 3.) Dump the fdi file to stdout. Option 2 sounds good to me -- call it /etc/hal/fdi/information/99local-pm-utils-quirks.fdi or something like that. > Cheers, > Michael -- Victor Lowther Ubuntu Certified Professional _______________________________________________ Pm-utils mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/pm-utils
