Local privilege escalation vulnerability in our rpms
In tor.spec.in we do
# Older tor RPMS used a different username for the tor daemon.
# Make sure the runtime data have the right ownership.
%__chown -R %{toruser}.%{torgroup} %{_localstatedir}/{lib,log,run}/%{name}
That -R will let an attacker who gets control of the _tor user get control of other files on the system.
The fix is to remove the -R from that line.
The downside is that we won't actually get the smooth upgrade that the comment implies. I wonder if these "older Tor rpms" still exist?