[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Uploaded tmpreaper 1.4.8 (source i386) to master

Paul Slootman wrote:
> > >    * Changed priority to extra, as you really only need this package if you
> > >      have specialised requirements (i.e. a system with untrusted users).
> > 
> > You're kidding, right?
> 
> No. According to the (previous) maintainer, for regular desktop / home use
> a cron job that does "find /tmp -atime +7 ! -type d-print0 | xargs -0 rm -f"
> is just as good. Tmpreaper just offers a way of closing any avenues of
> attack, which otherwise will allow a regular user to remove any file on
> the system. Read the urls referenced by the tmpreaper docs for explanation.

You're basically arguing, "a typical debian system need not be secure". I
totally disagree with that. First of all, I doubt that desktop/home use
makes up a sizably larger percentage of debian use than does use of debian
as a server. Secondly, once you start weakening what a normal user can do,
even on a system where all users are trusted, you're paving a path for
someone malicious to use when they do crack into your system.

-- 
see shy jo
Reply to: