* Michael Gilbert <[email protected]>, 2012-10-08, 14:15:
"Packages must not include files or directories under /run, or under
the older /var/run and /var/lock paths."
The thing is that it really does no harm if a package actually does
this
Given that /var/lock is world-writable in Debian, and that dpkg follows
symlinks to directories, at least shipping directories in /var/lock is
almost certainly a security hole. (Fortunately, this is mitigated by the
protected_symlinks feature of the recent kernels.)
--
Jakub Wilk
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]
