Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
cinnamon-settings-users.py: fix symlink attack vulnerability #7683
This script runs as root and allows to configure e.g. other user's icon
This change introduces temporary privilege drops to the target user's
I reported this privately to @clefebvre by mail and he asked me to publish it right away via a PR. So here it is.
I think this is the safest way to fix the issue, so we don't have to worry about race conditions and open flags, letting the kernel do the actual security checks. Even safer would be not even to write that file as root, of course ;-)