> Subject: wontfix
> From: Thijs Kinkhorst <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Date: Thu, 19 Apr 2007 20:45:51 +0200
> X-Mailer: Evolution 2.8.3
> X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
> (1.212-2003-09-23-exp) on rietz.debian.org
> X-Spam-Level:
> X-Spam-Status: No, hits=-4.0 required=4.0 tests=BAYES_00,FROMDEVELOPER,
> ONEWORD autolearn=no version=2.60-bugs.debian.org_2005_01_02
>
> Hi,
>
> I will not fix this bug as per the reasoning in my previous message,
> some months ago.
Hi, Will you at least consider using checksums?
I still think running wget as root should be avoided. The apt code
was written with this in mind, but wget is typically run by normal
users.
Anyway, I know more about setuid and friends now. A root process can
(and will by default) change all its UIDs with setuid. Using
setresuid you can control all the UIDs independantly. Anyway
something like this should be sufficient.
f=`tempfile`
adduser mstwget
su -c "wget -O '$f'" mstwget
chown root:root "$f"
deluser msgwget
for m in $validmd5
do
[ "$m" = "`md5sum "$f" |sed -e 's/ .*//'`" ] && break
done
[ $? -eq 0 ] || {
echo "$0: error: md5sum failed to match any correct value"
exit 1
} >&2
Justin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
