Bug 223495
| Summary: | net-p2p/bitcoin: fix typos in startup script | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Vasil Dimov <vd> | ||||
| Component: | Individual Port(s) | Assignee: | freebsd-ports-bugs (Nobody) <ports-bugs> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Many People | CC: | robbak, robbak, vd | ||||
| Priority: | --- | Flags: | robbak:
maintainer-feedback+
|
||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
|
Description
Vasil Dimov
2017-11-07 15:43:00 UTC
Created attachment 187824 [details]
fix
Comment on attachment 187824 [details]
fix
OK, thanks, noted and approved.
Is the issue with named file in .tmp that they get deleted, and so could be replaced by an unprivileged user, whereas files elsewhere, if the directory is not world-writable, could not be replaced with a simlink?
A commit references this bug: Author: vd Date: Wed Nov 8 08:18:27 UTC 2017 New revision: 453725 URL: https://svnweb.freebsd.org/changeset/ports/453725 Log: net-p2p/bitcoin: fix typos in startup script PR: 223495 Submitted by: vd@ Approved by: robbak@gmail.com (maintainer) Changes: head/net-p2p/bitcoin/Makefile head/net-p2p/bitcoin/files/bitcoind.in Committed in r453725. Yes, a malicious user could `ln -s /path/to/file/that/only/root_can_edit /tmp/foo` and when the root user does `command > /tmp/foo` it will overwrite that file. A safer approach is to either redirect to somewhere where symlinks cannot be planted willy-nilly by everybody or to use unpredictable names by employing mktemp(1). |