Bug#373255: [Pkg-aide-maintainers] Bug#373255: Predictable names in
tmp are a security risk
Marc Haber
mh+debian-packages at zugschlus.de
Sun Apr 15 17:39:43 UTC 2007
On Sun, Apr 15, 2007 at 03:21:13PM +0200, Goswin von Brederlow wrote:
> aide uses a very predictable name in tmp (/tmp/empty/aide.db) with the
> assumption that it will give an error because the file does not exist.
>
> A malicious user can easily create /tmp/empty and place a dummy db in
> there and thus disrupt or even negate the effect of aide.
How can it disrupt the effect of aide? People are not supposed to
directly call aide without giving a configuration file.
> If you want to force people to configure your package before use then
> please do use something reliably absent.
What do you suggest using?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
More information about the Pkg-aide-maintainers
mailing list