Hi Alexander, Many thanks for your email. I have been willing to review rkhunter bugs before submitting it.
Le mercredi 27 août 2008 à 04:00 +0400, Solar Designer a écrit : > FWIW, I happened to independently notice this and report it upstream a > week ago: > > https://sourceforge.net/tracker/?func=detail&atid=794190&aid=1971965&group_id=155034 > > "While I am at it, I suggest that you change /tmp/rkhunter-debug to > /var/run/rkhunter-debug. Right now, you have a security hole allowing for > local root compromise, although indeed the race condition is hard to > trigger in practice. > > To those reading this: please note that this suggestion by no means > constitutes a security review of rkhunter by me." > > I notice that the Debian package was fixed to use mktemp; I think that a > fixed filename under /var/run would be better in this case. Also, > rkhunter could be patched to enforce mode 600 on the file, regardless of > umask. (mktemp does that, but when a fixed filename under /var/run is > used instead, that would need to be explicit.) Oh, and I was probably > wrong about the race condition being hard to trigger - I forgot about > directory notifications for a moment. I am far from being a security expert. Do you suggest that using /var/run/rkhunter-debug is better than /tmp/rkhunter-debug.XXXXXXXX (created using mktemp)? or is that still using mktemp to create a /var/run/rkhunter-debug.XXXXXX file? Can you explain why it is more secure? I am ready to patch rkhunter debian package, but need to be sure I understand well what I do! Thanks again for your help. Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]