Comment 15 for bug 1174608
Revision history for this message
| Thierry Carrez (ttx) wrote Re: Insecure directory creation for signing | #15 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
I think that's the right trade-off. Changing the default will fix it for new users, printing the warning in the log will alert existing vulnerable users but won't break them on upgrade, and we suppose that the parameter given is a correctly-owned directory.
Even the TOCTOU race seems closed since os.makedirs fails if the directory exists.