You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(installer): refuse to chown through a symlinked ~/.local (security)
The #306 root-only ownership repair ran chown on ~/.local and ~/.local/bin
without a symlink guard. If an untrusted target user pre-staged ~/.local
(or ~/.local/bin) as a symlink (e.g. -> /etc) before a root install, the
chown would follow it and transfer ownership of the link target to that
user — a local privilege escalation. chown -h/nofollow isn't portable, so
the repair now refuses (with a warning) when either path is already a
symlink. Regenerated all install scripts; manifest drift contract stays
clean (typecheck + check-manifest-drift both green).
Co-Authored-By: Claude <noreply@anthropic.com>
0 commit comments