COMMAND

    kfm

SYSTEMS AFFECTED

    KDE

PROBLEM

    Paul Starzetz found following.   There is a symlink/owner  problem
    in the KDE file manager kfm.  He found it on SuSE 7.0 but not sure
    if it is an original SuSE  package or not, rpm doesn't know  about
    it:

        paul@ps:/tmp > rpm -qfi /usr/opt/kde/bin/kfm
        die Datei »/usr/opt/kde/bin/kfm« gehört zu keinem Paket

    what means that the kfm binary  is not known to rpm.   However, we
    suspect that it is included in all KDE1 distributions.

    kfm will  create a  cache directory  in /tmp  without checking for
    correct onwership named kfm-cache-UID  where UID is the  numerical
    user  id.   Then  it  will  write  to  files in the cache dir, for
    example:

        root@ps:/tmp/kfm-cache-500 > ls -la
        drwxrwxrwx   2 rws      uboot        4096 Apr 18 21:18 .
        drwxrwxrwt  15 root     root       770048 Apr 18 21:16 ..
        lrwxrwxrwx   1 rws      uboot          18 Apr 18 21:18 index.html ->
        /home/paul/.bashrc
        -rw-r--r--   1 rws      uboot           0 Apr 18 21:16 index.txt
        
        root@ps:/tmp/kfm-cache-500 > ls -la /home/paul/.bashrc
        -rw-r--r--   1 paul     users        1458 Jan 23 13:56
        /home/paul/.bashrc

    and after running kfm as user 500:

        root@ps:/tmp/kfm-cache-500 > ls -la /home/paul/.bashrc
        -rw-r--r--   1 paul     users         271 Apr 18 21:19
        /home/paul/.bashrc

    The impact is obvious.

SOLUTION

    Nothing yet.