[Pm-utils] pm-utils 1.2.1 and 1.1.2.5 released

Victor Lowther victor.lowther at gmail.com
Sat Oct 4 19:14:03 PDT 2008


On Sun, 2008-10-05 at 00:56 +0200, Michael Biebl wrote:
> Hi Victor,
> 
> thanks for the nice release.
> 
> 2008/10/4 Victor Lowther <victor.lowther at gmail.com>:
> > 1.2.1 Release Announcement
> >      * pm-utils has support for saving quirks as a HAL FDI file. If
> >        called with --store-quirks-as-fdi, an .fdi file specific to the
> >        machine and quirks passed on the command line will be written
> >        to /tmp/pm-utils-created.fdi.
> 
> This sounds dangerous, looks like insecure tmp file usage.
> A malicious attacker could create a symlink and this way trick you
> overwriting important files.

True, but as a malicious attacker why go to the effort of creating a tmp
symlink and then getting someone with root permissions to test
suspending and resuming their machine to overwrite their /etc/passwd
with xml?  Just crack root using your favourite local exploit and do it
without social engineering, or fork bomb them to death.

Not that it won't be fixed in the next release. :)

> I see three posibilities:
> 1.) Use mktemp to create a random name (and tell the user the name).
> 2.) Store the file in /etc/hal/fdi, isn't it indented for that anyway?
> 3.) Dump the fdi file to stdout.

Option 2 sounds good to me -- call
it /etc/hal/fdi/information/99local-pm-utils-quirks.fdi or something
like that.

> Cheers,
> Michael
-- 
Victor Lowther
Ubuntu Certified Professional



More information about the Pm-utils mailing list