Hi Mike, Thank you for creating the bug.
On Fri, Mar 05, 2021 at 02:32:54PM +0000, Mike Gabriel wrote: > if [ ! -d $RDIR/empty ]; then > mkdir -p $RDIR/empty > - chown -R scanlogd:nogroup $RDIR > + chown scanlogd:nogroup $RDIR > + chown root:root $RDIR/empty > fi > @Alexander: you ok with this change? It should be sufficient, shouldn't it? No, and no. Two issues here: 1. ALL directories in the path must not be writable by any user other than root. This means all must have root as their owner. 2. If someone had already installed the previous package revision, these new chown's wouldn't be reached (because of the "if") and thus insecure permissions would persist over a package upgrade and service restart. I think we need this: mkdir -p $RDIR/empty # The directory and its parent directories must not be writable by anyone but root chown root:root $RDIR $RDIR/empty and drop the "if". "mkdir -p" is happy to ignore an already existing directory (this is part of what the "-p" option does). So just these 3 lines (including the comment) instead of the entire if/fi block. Alexander
