From: Willy Tarreau <willy@w.ods.org>
To: Heikki Orsila <shd@zakalwe.fi>
Cc: Alistair John Strachan <s0348365@sms.ed.ac.uk>,
Mark Rosenstand <mark@borkware.net>,
linux-kernel@vger.kernel.org
Subject: Re: World writable tarballs
Date: Sun, 30 Apr 2006 11:37:41 +0200 [thread overview]
Message-ID: <20060430093740.GK13027@w.ods.org> (raw)
In-Reply-To: <20060430091501.GA19566@zakalwe.fi>
On Sun, Apr 30, 2006 at 09:15:01AM +0000, Heikki Orsila wrote:
> On Sun, Apr 30, 2006 at 01:48:12AM +0100, Alistair John Strachan wrote:
> > There's no need to repeatedly discuss it.
>
> I think there is. Sorry for wasting bandwidth.
>
> It's a big security hole deliberately caused by the kernel people (files
> in the tar ball have og+w, so it's not problem in roots umask or tar).
> Real security needs _simplicity_ but current file modes require
> unnecessary _tricks_ for admins. There should be nothing against
> untarring files as root. In this case it makes sense too, because only
> the tar balls are crypto signed, not the individual files inside the tar
> ball, so root can conveniently just verify the crypto signature and
> untar the file without any race conditions or trusting other users. The
> only real alternative is to create an _unnecessary_ trusted user to do
> tar ball handling.
>
> PS. this file permission bug almost bit me. People make errors and this
> one is potentially a big privilege escalation, because it potentially
> turns normal application bugs into root privileges.
Although I don't like finding world-writable files in tar archives, I
think you're exagerating a bit. First, you're not turning normal bugs
into root privileges, and second, you don't need to create a user just
for this, you just have to extract it in a directory that other users
cannot access (chmod o-x).
Also, you'll find several other software on the net with full rights,
so if this really is a concern to you, you'd better get used to this
with simple and reliable solutions (ntp comes to mind).
> Heikki Orsila Barbie's law:
> heikki.orsila@iki.fi "Math is hard, let's go shopping!"
> http://www.iki.fi/shd
Regards,
Willy
next prev parent reply other threads:[~2006-04-30 9:37 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-30 0:18 World writable tarballs Mark Rosenstand
2006-04-30 0:48 ` Alistair John Strachan
2006-04-30 4:59 ` Joshua Hudson
2006-04-30 6:18 ` Sam Ravnborg
2006-04-30 6:47 ` Matthew Reppert
2006-04-30 16:32 ` Joshua Hudson
2006-04-30 6:53 ` Valdis.Kletnieks
2006-04-30 9:15 ` Heikki Orsila
2006-04-30 9:37 ` Willy Tarreau [this message]
2006-04-30 11:49 ` Alistair John Strachan
2006-04-30 12:36 ` Mark Rosenstand
2006-04-30 12:51 ` Alistair John Strachan
2006-04-30 17:08 ` Mark Rosenstand
2006-04-30 16:53 ` Heikki Orsila
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060430093740.GK13027@w.ods.org \
--to=willy@w.ods.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark@borkware.net \
--cc=s0348365@sms.ed.ac.uk \
--cc=shd@zakalwe.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.