| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5ece0d580609120938g6db67adai6ba08a16f4f13af7@mail.gmail.com> Date: Tue, 12 Sep 2006 09:38:14 -0700 From: coderpunk <coderpunk@...il.com> To: "Joe Feise" <jfeise@...se.com> Cc: "Gerald \(Jerry\) Carter" <jerry@...ba.org>, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Linux kernel source archive vulnerable On 9/11/06, Joe Feise <jfeise@...se.com> wrote: > coderpunk writes: > > >> The standard recommendation is to never compile > >> the kernel as root. > >> > >> > > > > Which obviously doesn't help you when a non-root user edits the > > kernel, you compile it as 'jerry' but still have to install it as > > 'root'. You're still hosed. > > Geez, of course not. Unpacking the kernel as non-root honors umask. > Problem solved. > It would help to 'info tar' before posting... That assumes a proper umask. The kernel source should not depend on the end user's umask being setup properly. I'm having a hard time understanding why so many people seem to be resistant to setting proper permissions in the kernel tree source. This is the single most important piece of source on a system, it should be as secure as possible before being released. Yes, you can mitigate those risks by doing things as non-root (not everyone does), you can assume a proper umask (not everyone's is), or you can just fix the permissons at the source and the problem goes away. .cp _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists