[Pkg-aide-maintainers] Bug#373255: Predictable names in tmp are a security risk

Goswin von Brederlow brederlo at informatik.uni-tuebingen.de
Sun Apr 15 13:21:13 UTC 2007


Hi,

aide uses a very predictable name in tmp (/tmp/empty/aide.db) with the
assumption that it will give an error because the file does not exist.

A malicious user can easily create /tmp/empty and place a dummy db in
there and thus disrupt or even negate the effect of aide.


If you want to force people to configure your package before use then
please do use something reliably absent. Never use a static file in a
world writable place.

MfG
        Goswin




More information about the Pkg-aide-maintainers mailing list