Marc Haber <[EMAIL PROTECTED]> writes: > On Sun, Apr 15, 2007 at 03:21:13PM +0200, Goswin von Brederlow wrote: >> aide uses a very predictable name in tmp (/tmp/empty/aide.db) with the >> assumption that it will give an error because the file does not exist. >> >> A malicious user can easily create /tmp/empty and place a dummy db in >> there and thus disrupt or even negate the effect of aide. > > How can it disrupt the effect of aide? People are not supposed to > directly call aide without giving a configuration file.
Aparently people do and if someone fakes /tmp/empty/aide.db they will get no error unlike you intended. They might even think all is well while aide will not work. >> If you want to force people to configure your package before use then >> please do use something reliably absent. > > What do you suggest using? /nonexistant/aide.db or /usr/lib/aid/nonexistant/aide.db. > Greetings > Marc MfG Goswin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]