All of lore.kernel.org
 help / color / mirror / Atom feed
From: Heikki Orsila <shd@zakalwe.fi>
To: Alistair John Strachan <s0348365@sms.ed.ac.uk>
Cc: Mark Rosenstand <mark@borkware.net>, linux-kernel@vger.kernel.org
Subject: Re: World writable tarballs
Date: Sun, 30 Apr 2006 09:15:01 +0000	[thread overview]
Message-ID: <20060430091501.GA19566@zakalwe.fi> (raw)
In-Reply-To: <200604300148.12462.s0348365@sms.ed.ac.uk>

On Sun, Apr 30, 2006 at 01:48:12AM +0100, Alistair John Strachan wrote:
> There's no need to repeatedly discuss it.

I think there is. Sorry for wasting bandwidth.

It's a big security hole deliberately caused by the kernel people (files
in the tar ball have og+w, so it's not problem in roots umask or tar).
Real security needs _simplicity_ but current file modes require
unnecessary _tricks_ for admins. There should be nothing against
untarring files as root. In this case it makes sense too, because only
the tar balls are crypto signed, not the individual files inside the tar
ball, so root can conveniently just verify the crypto signature and
untar the file without any race conditions or trusting other users. The
only real alternative is to create an _unnecessary_ trusted user to do
tar ball handling.

PS. this file permission bug almost bit me. People make errors and this
one is potentially a big privilege escalation, because it potentially
turns normal application bugs into root privileges.

-- 
Heikki Orsila                   Barbie's law:
heikki.orsila@iki.fi            "Math is hard, let's go shopping!"
http://www.iki.fi/shd

  parent reply	other threads:[~2006-04-30  9:15 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-04-30  0:18 World writable tarballs Mark Rosenstand
2006-04-30  0:48 ` Alistair John Strachan
2006-04-30  4:59   ` Joshua Hudson
2006-04-30  6:18     ` Sam Ravnborg
2006-04-30  6:47     ` Matthew Reppert
2006-04-30 16:32       ` Joshua Hudson
2006-04-30  6:53     ` Valdis.Kletnieks
2006-04-30  9:15   ` Heikki Orsila [this message]
2006-04-30  9:37     ` Willy Tarreau
2006-04-30 11:49     ` Alistair John Strachan
2006-04-30 12:36       ` Mark Rosenstand
2006-04-30 12:51         ` Alistair John Strachan
2006-04-30 17:08           ` Mark Rosenstand
2006-04-30 16:53       ` Heikki Orsila

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060430091501.GA19566@zakalwe.fi \
    --to=shd@zakalwe.fi \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mark@borkware.net \
    --cc=s0348365@sms.ed.ac.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.