Hello Bruno, * Bruno Haible wrote on Fri, Mar 02, 2007 at 02:30:07AM CET: > Ralf Wildenhues wrote: > > > > for example, --prefix=/tmp/inst$$. > > > > This bit doesn't. Since /tmp is usually world-writable, you've got your > > attack vector already. > > /tmp is world-writable but a directory created by a user in /tmp is not > world-writable (assuming an umask of at least 002). Therefore I don't see > a security problem here.
On several systems that I know, /tmp is cleaned at system startup, or old files are removed at regular intervals. So after you've installed your stuff, at some point /tmp/inst$$ is removed again (possibly even by you). At that time, I can write to /tmp/inst$$. I can usually even look at your binaries (in the final location) first to find out about the value of $$ that was used by you at 'make install' time. That's a trivial attack on the systems where run path overrides the shared library path variable. Cheers, Ralf
