Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#15115 - [quassel] Quasselcore runs as root through init script.
Attached to Project:
Community Packages
Opened by Pieter Steyn (appel) - Monday, 15 June 2009, 18:37 GMT
Last edited by Vesa Kaihlavirta (vegai) - Friday, 05 February 2010, 10:20 GMT
Opened by Pieter Steyn (appel) - Monday, 15 June 2009, 18:37 GMT
Last edited by Vesa Kaihlavirta (vegai) - Friday, 05 February 2010, 10:20 GMT
|
DetailsDescription:Potentially insecure initscript.
Additional info: * all package versions. * default config. Steps to reproduce: The quassel init script starts the quasselcore as root. I don't think there are any known vulnerabilities yet, but running IRC as root is never a good idea. |
This task depends upon
Also, I'm curious as to how this is a 'feature request' and not a 'bug report'. An init script running an irc client as ROOT is clearly a bug, and should remain a bug report.
Thanks.
http://aur.archlinux.org/packages.php?ID=24922
Feedback is welcome!
http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-irc/quassel/files/quasselcore-2.conf?rev=1.1&view=markup
http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-irc/quassel/files/quasselcore-2.init?rev=1.1&view=markup
A similar issue here:
FS#15102Gaetan, adapt quassel-light as you see fit.
0.5.2-1 coming soon
Vesa, maybe add a backup entry for /etc/conf.d/quassel?