|
fail |
vzpbackup-1.6-alt1.git.5d1ff63f.x86_64 |
The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/vzpbackup.sh: $ grep /tmp/ /usr/bin/vzpbackup.sh # Check if the VE exists if grep "$CTID" <<< `$VZLIST_CMD &> /dev/null; then if [ $COMPACT == 1 ]; then echo "Compacting CTID: $CTID" $VZCTL_CMD compact $CTID > /tmp/vzpbackup_compact_$CTID_$TIMESTAMP.log echo "Compact log file: /tmp/vzpbackup_compact_$CTID_$TIMESTAMP.log" fi echo "Backing up CTID: $CTID" ID=$(uuidgen) |