[Mono-bugs] [Bug 77340][Maj] Changed - Local user can overwrite arbitrary file using mono-service
bugzilla-daemon at bugzilla.ximian.com
bugzilla-daemon at bugzilla.ximian.com
Sun Jul 30 08:43:53 EDT 2006
Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.
Changed by alp at atoker.com.
http://bugzilla.ximian.com/show_bug.cgi?id=77340
--- shadow/77340 2006-02-13 07:11:05.000000000 -0500
+++ shadow/77340.tmp.12280 2006-07-30 08:43:53.000000000 -0400
@@ -2,13 +2,13 @@
Product: Mono: Tools
Version: 1.1
OS: GNU/Linux [Other]
OS Details:
Status: NEW
Resolution:
-Severity:
+Severity: Unknown
Priority: Major
Component: tools
AssignedTo: mono-bugs at ximian.com
ReportedBy: pawel.sakowski at mind-breeze.com
QAContact: mono-bugs at ximian.com
TargetMilestone: ---
@@ -45,6 +45,23 @@
non-world-writable /var/run/basename.pid as the standard pid file location.
------- Additional Comments From pawel.sakowski at mind-breeze.com 2006-02-13 07:11 -------
Created an attachment (id=16482)
A proposed minimalist solution (using /var/run instead of /tmp, no improvement in lockfile creation style)
+
+------- Additional Comments From alp at atoker.com 2006-07-30 08:43 -------
+It seems that no Mono developer is willing to maintain this code. The
+shell script is a total hack. It's unsupportable and should not ship
+in its current state.
+
+I just helped someone who was trying to use mono-service (the shell
+script) on a production server. After looking at the script, I noticed
+that it redirects all output including standard error to /dev/null --
+this is also no good.
+
+This critical security bug has been open for six months without
+getting assigned or commented on, so I'll be happy to remove the
+script from the install target in a couple of days if there's no
+further comment as it seems to be unmaintained, and no changes have
+been made since my 2006-04-21 fixes.
+
More information about the mono-bugs
mailing list