From: Gary V <li...@jo...> - 2006-11-29 23:50:17
|
MK wrote: > found this in amavisd.log (i inserted the line breaks for better reading...): > ############################################################################# > (!)WARN: Using cpio instead of pax can be a security risk; > please add: $pax='pax'; to amavisd.conf and check that the pax(1) utility > is available on the system! > (!)do_pax_cpio/1: exit 1 > (!)Decoding of p003 (tar archive) failed, leaving it unpacked: > do_pax_cpio: exit 1 /usr/bin/cpio: Malformed number 777 > \n/usr/bin/cpio: Malformed number 376 > \n/usr/bin/cpio: Malformed number 1 > \n/usr/bin/cpio: Malformed number 213000 > \n/usr/bin/cpio: Malformed number 10450757133 > \n/usr/bin/cpio: Malformed number > \n/usr/bin/cpio: Malformed number > \n/usr/bin/cpio: premature end of file at (eval 49) line 1239. > ############################################################################# > why can using cpio be a security risk? (i'm using "cpio (GNU cpio) 2.7") > and, if so, which pax version is advisable to choose? > im confused about the current state of tar/pax/cpio merging code or not... > the heirloom toolchest contains pax, cpio and tar - so do the GNU paxutils > (although i don't find an actual download on savannah.gnu.org - just CVS). > which is best to choose? > thanks > MK I personally have no real answers for you on this, but doesn't your distro have 'pax' available where you could simply install the pax package/port/whatever? Gary V |