[LEDE-DEV] /var/run world writable
John Crispin
john at phrozen.org
Thu Jun 16 00:11:05 PDT 2016
no reason feel free to send a patch to fix it.
John
On 16/06/2016 09:07, Etienne Champetier wrote:
> Hi,
>
> since this procd commit from 2013
> https://git.lede-project.org/?p=project/procd.git;a=blob;f=early.c;h=063e1a6abcc8ecdf22b9c8c11b2e81cc2460bcea;hb=be950c5e56b86509e1e237931d0ac8203372be82
>
> /var/run (also /var/state and /var/lock) is world writable, with no
> sticky bit, which means unpriviledge process can delete root files (or
> many other attacks).
>
> Do you remember if there was a reason to make it 0777 ?
> I think before procd this was only handled by /etc/init.d/boot and it was 0755
>
> On ubuntu 15.10 it's 0755 for /var/run and 1777 for /var/state and /var/lock
> see also FHS stating that /run (new /var/run) should not be world writable
> http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html#idm236092622080
>
> Regards
> Etienne
>
> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev
>
More information about the Lede-dev
mailing list