Do not pass ntpUtility as an argument to datetime helper
Review Request #120977 - Created Nov. 4, 2014 and submitted - Latest diff uploaded
First patch:Do not pass ntpUtility as an argument to datetime helper Passing the name of a binary to run to a polkit helper is a security risk as it allows any arbitrary process to be executed. This patch moves the detection of ntp utility location into the helper function.
Second patch:Validate timezone name before setting This patch ensures that the symlink /etc/localtime always points to a file in /usr/share/timezones and not an arbitrary file in a user's home directory.
Ran kcmshell4 clock. Timezone code definitely still works.
NTP seemed to work as before.
My exploit no longer works.