From: Paul Eggert <eggert@cs.ucla.edu>
Date: Mon, 5 Jul 2004 07:07:05 +0000 (+0000)
Subject: (Install): Warn that you should create
X-Git-Tag: Release-1-8d~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=abe03dd690b28027cea97532201ec991448537e1;p=thirdparty%2Fautomake.git

(Install): Warn that you should create
/tmp/staging before installing into it, to avoid security problems.
---

diff --git a/doc/automake.texi b/doc/automake.texi
index b4a007b63..0245b13b2 100644
--- a/doc/automake.texi
+++ b/doc/automake.texi
@@ -5258,10 +5258,13 @@ path is prefixed with the value of @samp{DESTDIR} before being copied
 into the install area.  Here is an example of typical DESTDIR usage:
 
 @example
+mkdir /tmp/staging &&
 make DESTDIR=/tmp/staging install
 @end example
 
-This places install objects in a directory tree built under
+The @command{mkdir} command avoids a security problem if the attacker
+creates a symbolic link from @file{/tmp/staging} to a victim area;
+then @command{make} places install objects in a directory tree built under
 @file{/tmp/staging}.  If @file{/gnu/bin/foo} and
 @file{/gnu/share/aclocal/foo.m4} are to be installed, the above command
 would install @file{/tmp/staging/gnu/bin/foo} and