On Mon, 04.04.11 13:41, Ludwig Nussel ([email protected]) wrote: > > There are. A lot of software creates subdirectories beneath > > /var/lock, for example LVM. If you allow creation of lockfiles in > > /var/lock, then this enables the same programs to break LVM (and > > everything else creating subdirs there), and even use LVM to break the > > system even further. > > > > That's the point that https://bugzilla.redhat.com/show_bug.cgi?id=581884 > > tries to make. > > Well, that's not nice but not an immediate problem either. You'd > have to exploit a bug in lockdev to gain access to the lock group > first. Same risk as with any other setuid program.
But it defeats the point of the "lock" group. Because it enables code that runs under that GID to destroy the system as if it was root. Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
