[Pkg-aide-maintainers] Bug#373255: Predictable names in tmp are a
security risk
Goswin von Brederlow
brederlo at informatik.uni-tuebingen.de
Sun Apr 15 13:21:13 UTC 2007
Hi,
aide uses a very predictable name in tmp (/tmp/empty/aide.db) with the
assumption that it will give an error because the file does not exist.
A malicious user can easily create /tmp/empty and place a dummy db in
there and thus disrupt or even negate the effect of aide.
If you want to force people to configure your package before use then
please do use something reliably absent. Never use a static file in a
world writable place.
MfG
Goswin
More information about the Pkg-aide-maintainers
mailing list