[8729] in bugtraq
Re: Verifying file data integrity using L6
daemon@ATHENA.MIT.EDU (Ng Pheng Siong)
Fri Dec 18 23:18:07 1998
Date: Sat, 19 Dec 1998 01:00:07 +0800
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Ng Pheng Siong <ngps@POST1.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.GSO.3.96.981217130504.10606A-100000@paranoia.pgci.ca>; from
gilbert@PGCI.CA on Thu, Dec 17, 1998 at 01:31:55PM +0000
On Dec 17, gilbert@PGCI.CA wrote:
> [L6] provides a useful, lightweight and flexible interface (written in
> perl) to verify file data integrity, and the output and functionality
> resembles that of L5 (a similar tool written in C by hobbit@avian.org).
/usr/local/src/toolz:$ vi l6
/usr/local/src/toolz:$ diff l6.org l6
1c1
< #!/bin/perl
---
> #!/usr/local/bin/perl -Tw
52a53,54
>
> $ENV{PATH}='/bin:/usr/bin';
/usr/local/src/toolz:$ ./l6 l6
Use of uninitialized value at ./l6 line 78.
Insecure dependency in chdir while running with -T switch at
/usr/local/lib/perl5/5.00502/File/Find.pm line 125.
Ok, it's File::Find's problem, not your code. And maybe not exploitable.
(A file which name is binary code?) But since this program will touch
potentially every file on the system as root, one can't be too careful.
Also, try "use strict".
I've toyed with putting a wrapper around l5 to make it work like tripwire,
but that means handling all the integrity database maintenance that tripwire
does. In essence, reinventing tripwire. ;-|
--
Ng Pheng Siong <ngps@post1.com>
