> Package: fai-client > Severity: critical > Tags: security > Tags: pending > > When using fai softupdate, install_packages writes a list of all > packages to the file /var/tmp/package, which is located in a world > writeable directory. It also writes to /tmp/packages.list if > FAI_DEBSOURCESDIR is set. These problems only affect FAI versions from > 3.3 to 3.3.4. > > In case you use PACKAGES dselect-upgrade (I guess it's not used very > often) in package_config it writes to > $FAI_ROOT/tmp/dpkg-selections.tmp. Since FAI_ROOT is set to / if you > are calling fai softupdate, this is a security problem. This problem > also affects older versions. > > I've already prepared a patch for this, which is available in the svn trunk.
Would you mind explaining how this could possibly be "exploited"? There is nothing private in the list of packages. This could only pose problems if *the file* were world-writable, in which case a local user could add packages to that file. A reply in PM is ok, of course. Best, Michael
pgpGdzqc71Qq5.pgp
Description: PGP signature
