[Slackbuilds-users] Permissions of tar.gz files are eval. Possible security leak!

[Manuel Reimer]

Hi,

I don't know how the tar.gz packages for slackbuilds.org are created, but most files have the UID 1000 as owner of the file. Some also have 1002 and maybe even other UIDs.

This may easy cause a security leak, if you, for example, create a directory under /tmp as root to do your SlackBuilds-Stuff there.

If you do so, then Slackware will give the permission "755" by default. Means: Any user may enter this directory.

If you, now, extract your SlackBuilds.org tar.gz file, then all files in this directory belong to, for example, UID 1000. This user may now easily add something like "rm -rf /" to the SlackBuild-file.

SlackBuilds are files, executed by root!!! Please have security in mind when setting the permissions for files and run

chmod -R 750 $DIRNAME
chown -R root:root $DIRNAME

on the directory with the SlackBuild files, bevore you run "tar" on it.

Thanks for listening

CU

Manuel
-- 
()  ascii ribbon campaign - against html mail
/\                        - gegen HTML-Mail
answers as html mail will be deleted automatically!
Antworten als HTML-Mail werden automatisch gelöscht!

Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten 
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser