The article linked in the submission is more verbose but less clear and half of it is an advertisement for their product.
ifh-hn•1h ago
I wonder if, and this is just speculating not trying to start an arguement, if this sort of thing could have happened in the simpler pre-snap, pre-systemd systems? More to the point is this a cause of using more complicated software?
dogleash•1h ago
Permission and timing gotchas in /tmp predate snap and systemd. It's why things like `mkstemp` exist.
I remember cron jobs that did what systemd-tmpfiles-clean does before it existed. All unix daemons using /tmp run the risk of misusing /tmp. I don't know snap well enough to say anything about it makes it uniquely more susceptible to that.
SoftTalker•40m ago
The mistake seems to be using a predictable path (/tmp/.snap) in a publicly-writable directory.
rglover•19m ago
Semi-related: does anybody know of a reliable API that announces CVEs as they're published?
ptx•1h ago
The article linked in the submission is more verbose but less clear and half of it is an advertisement for their product.