Re: World writable tarballs

On Sun, Apr 30, 2006 at 09:15:01AM +0000, Heikki Orsila wrote:
On Sun, Apr 30, 2006 at 01:48:12AM +0100, Alistair John Strachan wrote:
There's no need to repeatedly discuss it.

I think there is. Sorry for wasting bandwidth.

It's a big security hole deliberately caused by the kernel people (files
in the tar ball have og+w, so it's not problem in roots umask or tar).
Real security needs _simplicity_ but current file modes require
unnecessary _tricks_ for admins. There should be nothing against
untarring files as root. In this case it makes sense too, because only
the tar balls are crypto signed, not the individual files inside the tar
ball, so root can conveniently just verify the crypto signature and
untar the file without any race conditions or trusting other users. The
only real alternative is to create an _unnecessary_ trusted user to do
tar ball handling.

PS. this file permission bug almost bit me. People make errors and this
one is potentially a big privilege escalation, because it potentially
turns normal application bugs into root privileges.

Although I don't like finding world-writable files in tar archives, I
think you're exagerating a bit. First, you're not turning normal bugs
into root privileges, and second, you don't need to create a user just
for this, you just have to extract it in a directory that other users
cannot access (chmod o-x).

Also, you'll find several other software on the net with full rights,
so if this really is a concern to you, you'd better get used to this
with simple and reliable solutions (ntp comes to mind).

Heikki Orsila Barbie's law:
heikki.orsila@xxxxxx "Math is hard, let's go shopping!"
http://www.iki.fi/shd

Regards,
Willy

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/