[EMAIL PROTECTED] on 04/25/2000 09:15:08 PM
>> The current development version tries a bit harder to generate a unique
>> name for the temporary directory, but it's still pretty predictable.
>
>What's wrong with creating a /var/cvs/tmp directory with appropriate
>permissions so that only cvs can access it?
CVS usually doesn't run setuid; it runs as the user who executed it.
Regardless, so long as someone can create the /tmp directories and leave them
there (eg via crashing CVS), the DoS attack exists. It doesn't matter where
those directories are kept.
Noel
