On 04.05.2010 11:40, Lennart Poettering wrote: > On Tue, 04.05.10 01:30, Joey Hess (jo...@debian.org) wrote: > >> Package: avahi-daemon >> Version: 0.6.25-3 >> Severity: normal >> Tags; security >> >> /var/run/avahi-daemon/pid is writable by the avahi user. Suppose this >> user is compromised. If the pid is overwritten with a different process >> id, such as 1, /etc/init.d/avahi-daemon stop will go ahead and kill >> that. > > Well, I am not too concerned with this issue tbh, given that this file > is both outside the chroot and we set RLIMIT_FSIZE to 0. Which basically > means that from inside Avahi you cannot write any file anyway, and > particularly not that one...
Hi Joey, given Lennarts explanations, are you ok with closing the bug report or do see a point in keeping it open? Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
