|
|
In previous revisions, the init script for arpwatch called "chown" as
root on a location under /var/lib/arpwatch -- a path that is controlled
by the "arpwatch" user per its ebuild. That could be exploited by the
"arpwatch" user to take control of root-owned files.
This new revision comes with a new init script and conf.d file that
completely rework the way instances are created and run. The
"arpwatch" user is hard-coded, because as was mentioned, the ebuild
sets some important permissions for that user. Since it is not
possible to change that user, the need for "chown" is eliminated.
Separate instances are now created by symlinking the init script (like
our network interface scripts), rather than by enumerating them in a
single arpwatch init script. Upgraders will want to review their
configurations.
Bug: https://bugs.gentoo.org/602552
Package-Manager: Portage-2.3.8, Repoman-2.3.3
|
Michael Orlitzky
GitWeb