| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Sep 2006 08:09:51 +0200 (CEST) From: Christine Kronberg <seeker@...lla.de> To: Raj Mathur <raju@...ux-delhi.org> Cc: bugtraq@...urityfocus.com Subject: Re: [Full-disclosure] Linux kernel source archive vulnerable On Fri, 8 Sep 2006, Raj Mathur wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > >>>>>> "Hadmut" == Hadmut Danisch <hadmut@...isch.de> writes: > > Hadmut> [snip] > > Hadmut> When unpacking such an archive, tar also sets the uid, > Hadmut> gid, and file permissions given in the tar > Hadmut> archive. Unfortunately, plenty of files and directories in > Hadmut> that archive are world writable. E.g. in the 2.6.17.11 > Hadmut> archive, there are 1201 world writable directories and > Hadmut> 19554 world writable files. > > I wouldn't know if something has changed drastically between 2.6.16 > and 2.6.17.11, but: > > raju@...l:~$ find /usr/src/linux-2.6.16/ -perm -666 ! -type l > raju@...l:~$ > > Not a single world-writable file or directory. Perhaps pre-release > kernel tarballs are more lax? Seems to. I just checked linux-2.6.13 and linux-2.6.17.6. While the first has no world writeable files or directories at all the latter has tons of it. Interesting. Cheers, Chris Kronberg.
Powered by blists - more mailing lists