On Sun, 23 Nov 2008, Bart Samwel wrote: > > 1. This program is running as root, right? I would be very careful with > > sourcing arbitrary shell commands from a users home directory then. > > I agree that that would be risky. However, on my system the .dbus > directory is owned by root and not accessible to anyone else. So that > should be no problem. (The session dbus system is apparently set up by
Yes it is a problem. Here it's not owned by root and furthermore the user has write rights to ~/ so he can "mv .dbus .dbus-temp". Please be more careful about security when you think of code running as root. You should rather parse those files and not source them directly. Or maybe you can call dbus-send with the user rights (su user -c "") provided that you include an "export DISPLAY=…" command before the dbus-send command ? Cheers, -- Raphaël Hertzog Le best-seller français mis à jour pour Debian Etch : http://www.ouaza.com/livre/admin-debian/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
