On Fri, 07 Dec 2018, intrigeri wrote: > Hi, > > Peter Palfrader: > > onionshare uses /tmp/onionshare_server.log as a logfile with --debug. > > Good catch! > > While that code obviously conflicts with basic secure programming best > practices, it seems to me that the default settings of the > fs.protected_symlinks and fs.protected_hardlinks sysctls protect > Debian users against exploitation, so I find RC severity hard to > justify given this only affects users who manually pass --debug under > a non-default sysctl/kernel configuration. > > In any case, this should be fixed :)
In addition to the security issues of bad tempfile handling, it causes onionshare to break for me as on this system several users run onionshare. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `- https://www.debian.org/