[Pkg-clamav-devel] Lintian override (Was: Re: repo set up)
Michael Meskes
meskes at debian.org
Mon Sep 8 11:54:54 UTC 2008
On Mon, Sep 08, 2008 at 12:45:43AM +0100, Stephen Gran wrote:
> > As you started cleaning out the lintian warnings: We also have a warning about
> > insecure tmp usage, because of that line in the clamav-base postinst:
> >
> > [ -z "$TemporaryDirectory" ] && TemporaryDirectory='/tmp'
The big question is where/how is this used?
> Yes, the main problem is that the directory will go away on reboots -
> that variable is only needed for the config file generation stuff, and
> not actually used in the script. Telling the various daemons to use
> directories that disappear out from under them will probably not add
> robustness :)
It depends. If the directory is only used for volatile stuff, that should be
fine. I had a look at two servers and there appeared to be no clamav relevant
file under /tmp at all. So, what uses the TemporaryDirectory?
If it is only used by some daemonized software we could create a directory
belonging to that user and be safe.
> ClamAV already uses a (locally written, sigh) mktemp variant for files
> under /tmp. Probably in this case, a lintian override would be useful,
You mean something like cli_gentempfd? This does not really make it safe:
http://www.securiteam.com/securitynews/5QP010KN5E.html, although I haven't
checked whether this is still the same code.
Michael
--
Michael Meskes
Email: Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
ICQ: 179140304, AIM/Yahoo: michaelmeskes, Jabber: meskes at jabber.org
Go VfL Borussia! Go SF 49ers! Use Debian GNU/Linux! Use PostgreSQL!
More information about the Pkg-clamav-devel
mailing list