lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060908181705.GA6868@danisch.de>
Date: Fri, 8 Sep 2006 20:17:05 +0200
From: hadmut@...isch.de (Hadmut Danisch)
To: "Gerald (Jerry) Carter" <jerry@...ba.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Linux kernel source archive vulnerable

Hi Jerry, 

On Fri, Sep 08, 2006 at 12:06:41PM -0500, Gerald (Jerry) Carter wrote:
> > 
> > So how would you do  
> > 
> >   make install 
> >   make modules_install
> 
> Building and install are separate operations.


Really? Both means to do what is standing in the Makefile. 
Both is executing the Makefile.

Installation is, btw, more intrusive since it is not limited to the
source directory. So in my eyes there is no point in compiling as
non-root when you install as root then. 


The basic problem is that the wrong tool is used. It may sound
strange, but tar is simply the wrong tool: They want to distribute
source files without any assigned file permissions, but use a tape
archive tool which inherently carries uid, gid and permissions with
it. To circumvent the use of the wrong tool, they are using world
writable permissions.

It may sound funny to consider tar as the wrong tool, but it is.




> If
> you unpack the kernel as non-root, then the versions
> of tar I've tested do not preserve the original
> permissions but rather apply the current umask.


This makes it even worse. Because if other versions of tar do not show
this behavior (and I learned tar about 20 years ago on Unix) people do
not necessarily expect this behavior and do not have any reason to ask
google about how to use tar. 


If you cannot trust the kernel source to compile it as root, how could
you run it with root permissions (i.e. use it as a kernel)?


regards
Hadmut

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ