FWIW, I happened to independently notice this and report it upstream a week ago:
https://sourceforge.net/tracker/?func=detail&atid=794190&aid=1971965&group_id=155034 "While I am at it, I suggest that you change /tmp/rkhunter-debug to /var/run/rkhunter-debug. Right now, you have a security hole allowing for local root compromise, although indeed the race condition is hard to trigger in practice. To those reading this: please note that this suggestion by no means constitutes a security review of rkhunter by me." I notice that the Debian package was fixed to use mktemp; I think that a fixed filename under /var/run would be better in this case. Also, rkhunter could be patched to enforce mode 600 on the file, regardless of umask. (mktemp does that, but when a fixed filename under /var/run is used instead, that would need to be explicit.) Oh, and I was probably wrong about the race condition being hard to trigger - I forgot about directory notifications for a moment. Also, when using mktemp it is important to check for possible failure of mktemp - e.g., with "|| exit" on the line (which propagates mktemp's exit code to that of the script). On Openwall GNU/*/Linux (Owl), we use the following shell script snippets for "real" temporary files (which are meant to be gone when the script terminates), as documented in Owl/doc/CONVENTIONS - | It's better to not use temporary files, however if you must, the | preferred way to do it from shell scripts is with code like this: | | TMPFILE="`mktemp -t program.XXXXXXXXXX`" || exit | trap 'rm -f -- "$TMPFILE"' EXIT | trap 'trap - EXIT; rm -f -- "$TMPFILE"; exit 1' HUP INT QUIT TERM | | To create temporary directories, use: | | TMPD="`mktemp -dt program.XXXXXXXXXX`" || exit | trap 'rm -rf -- "$TMPD"' EXIT | trap 'trap - EXIT; rm -rf -- "$TMPD"; exit 1' HUP INT QUIT TERM Alexander -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]