[Slackbuilds-users] Permissions of tar.gz files are eval. Possible security leak!
Manuel Reimer
Manuel.Reimer at gmx.de
Sat Dec 22 13:35:49 UTC 2007
Hi,
I don't know how the tar.gz packages for slackbuilds.org are created, but most files have the UID 1000 as owner of the file. Some also have 1002 and maybe even other UIDs.
This may easy cause a security leak, if you, for example, create a directory under /tmp as root to do your SlackBuilds-Stuff there.
If you do so, then Slackware will give the permission "755" by default. Means: Any user may enter this directory.
If you, now, extract your SlackBuilds.org tar.gz file, then all files in this directory belong to, for example, UID 1000. This user may now easily add something like "rm -rf /" to the SlackBuild-file.
SlackBuilds are files, executed by root!!! Please have security in mind when setting the permissions for files and run
chmod -R 750 $DIRNAME
chown -R root:root $DIRNAME
on the directory with the SlackBuild files, bevore you run "tar" on it.
Thanks for listening
CU
Manuel
--
() ascii ribbon campaign - against html mail
/\ - gegen HTML-Mail
answers as html mail will be deleted automatically!
Antworten als HTML-Mail werden automatisch gelöscht!
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser
More information about the Slackbuilds-users
mailing list