Since the job is running as root, and on people.fedoraproject.org, it

can be abused by a non admin user using a symlink in /tmp (just a
simple for loop over the pid space would be enough).

Then we can at best erase a almost arbitrary file (using a creative
symlink), or at worst, maybe inject data that could be parsed by a
software (since the content would be under the control of a attacker,
since that's the list of file in a user home directories.
This commit is contained in:
Michael Scherer 2016-03-29 18:45:58 +00:00 committed by Kevin Fenzi
parent 02156cb213
commit b811b3daf4

View file

@ -6,7 +6,8 @@
LOGFILE="/var/log/clamscan.log"
MAILTO="{{ clamscan_mailto }}"
DAYS=7
FILELIST="/tmp/clamscan_filelist.$$"
TMPCLAMDIR=$(mktemp -d clamav_ansible.XXXXXX)
FILELIST="$TMPCLAMDIR/clamscan_filelist.$$"
rm -f $LOGFILE