From: Willy Tarreau <willy@w.ods.org>
To: Heikki Orsila <shd@zakalwe.fi>
Cc: Alistair John Strachan <s0348365@sms.ed.ac.uk>,
Mark Rosenstand <mark@borkware.net>,
linux-kernel@vger.kernel.org
Subject: Re: World writable tarballs
Date: Sun, 30 Apr 2006 11:37:41 +0200 [thread overview]
Message-ID: <20060430093740.GK13027@w.ods.org> (raw)
In-Reply-To: <20060430091501.GA19566@zakalwe.fi>
On Sun, Apr 30, 2006 at 09:15:01AM +0000, Heikki Orsila wrote:
> On Sun, Apr 30, 2006 at 01:48:12AM +0100, Alistair John Strachan wrote:
> > There's no need to repeatedly discuss it.
>
> I think there is. Sorry for wasting bandwidth.
>
> It's a big security hole deliberately caused by the kernel people (files
> in the tar ball have og+w, so it's not problem in roots umask or tar).
> Real security needs _simplicity_ but current file modes require
> unnecessary _tricks_ for admins. There should be nothing against
> untarring files as root. In this case it makes sense too, because only
> the tar balls are crypto signed, not the individual files inside the tar
> ball, so root can conveniently just verify the crypto signature and
> untar the file without any race conditions or trusting other users. The
> only real alternative is to create an _unnecessary_ trusted user to do
> tar ball handling.
>
> PS. this file permission bug almost bit me. People make errors and this
> one is potentially a big privilege escalation, because it potentially
> turns normal application bugs into root privileges.
Although I don't like finding world-writable files in tar archives, I
think you're exagerating a bit. First, you're not turning normal bugs
into root privileges, and second, you don't need to create a user just
for this, you just have to extract it in a directory that other users
cannot access (chmod o-x).
Also, you'll find several other software on the net with full rights,
so if this really is a concern to you, you'd better get used to this
with simple and reliable solutions (ntp comes to mind).
> Heikki Orsila Barbie's law:
> heikki.orsila@iki.fi "Math is hard, let's go shopping!"
> http://www.iki.fi/shd
Regards,
Willy
next prev parent reply other threads:[~2006-04-30 9:37 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-30 0:18 World writable tarballs Mark Rosenstand
2006-04-30 0:48 ` Alistair John Strachan
2006-04-30 4:59 ` Joshua Hudson
2006-04-30 6:18 ` Sam Ravnborg
2006-04-30 6:47 ` Matthew Reppert
2006-04-30 16:32 ` Joshua Hudson
2006-04-30 6:53 ` Valdis.Kletnieks
2006-04-30 9:15 ` Heikki Orsila
2006-04-30 9:37 ` Willy Tarreau [this message]
2006-04-30 11:49 ` Alistair John Strachan
2006-04-30 12:36 ` Mark Rosenstand
2006-04-30 12:51 ` Alistair John Strachan
2006-04-30 17:08 ` Mark Rosenstand
2006-04-30 16:53 ` Heikki Orsila
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060430093740.GK13027@w.ods.org \
--to=willy@w.ods.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark@borkware.net \
--cc=s0348365@sms.ed.ac.uk \
--cc=shd@zakalwe.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox