Hi, On Fri, 02 Feb 2018, Chris Lamb wrote: > > In my case, I remember having touched many packages with dedicated > > users created and I expect this tag to have a very high false positive > > ratio > > Can you make this more concrete? (Or, perhaps, why is colord > vulnerable but your particular package is not..?)
I'm not quite sure of what colord is vulnerable. #889060 assumes the attacker can create arbitrary hardlinks as the "colord" user in /var/lib/colord. I don't know colord enough to know if that's the case and why that would be the case. In general, when you have a dedicated user it's because you want to run a daemon under that user to restrict its accesses. The interfaces of most daemons do not allow end users to create hardlinks/symlinks in the data directories of the daemon... hence this chown -R vulnerability is only exploitable after having found another vulnerability in the daemon to create the hardlinks and/or symlinks. That makes it much less important as a vulnerability. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
