Marc Haber <[EMAIL PROTECTED]> writes:
> On Tue, Apr 17, 2007 at 03:28:44AM +0200, Goswin von Brederlow wrote:
>> /nonexistant/aide.db or /usr/lib/aid/nonexistant/aide.db.
>
> * Change sysconfdir in configure call to
> /var/lib/aide/please-dont-call-aide-without-parameters
> to no longer
On Tue, Apr 17, 2007 at 03:28:44AM +0200, Goswin von Brederlow wrote:
> /nonexistant/aide.db or /usr/lib/aid/nonexistant/aide.db.
* Change sysconfdir in configure call to
/var/lib/aide/please-dont-call-aide-without-parameters
to no longer point to a world writeable location and to give a
Marc Haber <[EMAIL PROTECTED]> writes:
> On Sun, Apr 15, 2007 at 03:21:13PM +0200, Goswin von Brederlow wrote:
>> aide uses a very predictable name in tmp (/tmp/empty/aide.db) with the
>> assumption that it will give an error because the file does not exist.
>>
>> A malicious user can easily crea
On Sun, Apr 15, 2007 at 03:21:13PM +0200, Goswin von Brederlow wrote:
> aide uses a very predictable name in tmp (/tmp/empty/aide.db) with the
> assumption that it will give an error because the file does not exist.
>
> A malicious user can easily create /tmp/empty and place a dummy db in
> there
Hi,
aide uses a very predictable name in tmp (/tmp/empty/aide.db) with the
assumption that it will give an error because the file does not exist.
A malicious user can easily create /tmp/empty and place a dummy db in
there and thus disrupt or even negate the effect of aide.
If you want to force
5 matches
Mail list logo