From: Mark Rosenstand <mark@borkware.net>
To: Alistair John Strachan <s0348365@sms.ed.ac.uk>
Cc: Heikki Orsila <shd@zakalwe.fi>, linux-kernel@vger.kernel.org
Subject: Re: World writable tarballs
Date: Sun, 30 Apr 2006 14:36:54 +0200 [thread overview]
Message-ID: <1146400614.15178.14.camel@hammer> (raw)
In-Reply-To: <200604301249.16259.s0348365@sms.ed.ac.uk>
On Sun, 2006-04-30 at 12:49 +0100, Alistair John Strachan wrote:
> Going over old ground again, any administrator a) compiling the kernel as root
> or b) relying on GNU tar to make _security policy decisions_ is completely
> insane.
Yes, GNU tar is acting insane. Given that GNU tar is the most widely
used tar implementation (at least for extracting linux sources), why is
the kernel packaged to exploit this insane behaviour?
> Really, people that complain about security should have a modicum of a clue;
> allowing a tar file that _somebody else_ applied _their_ security policy, to
> define yours, is a deeply flawed concept. umask is there for a reason.
I merely asked if it was on purpose. In my point of view, it's wrong to
deliberately expose people to such big security threads.
That said, the kernel source is actually the only thing I extract as
root, mostly because I think it's weird to have symlinks in /lib/modules
point to my user's home directory.
next prev parent reply other threads:[~2006-04-30 12:36 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-30 0:18 World writable tarballs Mark Rosenstand
2006-04-30 0:48 ` Alistair John Strachan
2006-04-30 4:59 ` Joshua Hudson
2006-04-30 6:18 ` Sam Ravnborg
2006-04-30 6:47 ` Matthew Reppert
2006-04-30 16:32 ` Joshua Hudson
2006-04-30 6:53 ` Valdis.Kletnieks
2006-04-30 9:15 ` Heikki Orsila
2006-04-30 9:37 ` Willy Tarreau
2006-04-30 11:49 ` Alistair John Strachan
2006-04-30 12:36 ` Mark Rosenstand [this message]
2006-04-30 12:51 ` Alistair John Strachan
2006-04-30 17:08 ` Mark Rosenstand
2006-04-30 16:53 ` Heikki Orsila
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1146400614.15178.14.camel@hammer \
--to=mark@borkware.net \
--cc=linux-kernel@vger.kernel.org \
--cc=s0348365@sms.ed.ac.uk \
--cc=shd@zakalwe.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.