lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <B7C6636B-03E9-4D4C-AC0E-2898181F419B@mac.com>
Date:	Wed, 13 Sep 2006 02:49:45 -0400
From:	Kyle Moffett <mrmacman_g4@....com>
To:	daw-usenet@...erner.cs.berkeley.edu (David Wagner)
Cc:	linux-kernel@...r.kernel.org
Subject: Re: R: Linux kernel source archive vulnerable

On Sep 13, 2006, at 02:26:23, David Wagner wrote:
> Kyle Moffett  wrote:
>> On Sep 13, 2006, at 01:34:01, David Wagner wrote:
>>> So it sounds like git-tar-tree has a bug; its default isn't setting
>>> meaningful permissions on the files that it puts into the tar  
>>> archive.
>>> I hope the maintainers of git-tar-tree will consider fixing this  
>>> bug.
>>
>> Let me reiterate:  This is not a bug!
>
> I think it is a bug.  It sounds like git-tar-tree is storing the  
> wrong set of permissions in the tar archive.

No, git-tar-tree is storing the desired permissions (0666 and 0777)  
in the tar archive.  This is not a bug, those are actually the  
permissions we want in the tar archive.

> When I run "tar cf foo.tar bar", and bar has permissions 0644, then  
> tar inserts an entry into the archive for "bar" with its  
> permissions listed as 0644 (*not* 0666).

This is irrelevant because the actual permissions copied from GIT to  
the tar archive are 0666 (as desired).

> If "tar cf foo.tar bar" just ignored the permissions on bar and  
> always used a default of 0666 out of laziness, that would be a bug  
> in "tar cf". The same goes for git-tar-tree.  It seems to me that  
> git-tar-tree ought to behave the same as "tar cf".

It does; except the permissions in git are 0666 for files and 0777  
for directories so that your umask takes effect when you check out  
from GIT or extract a tar archive exported from GIT.

> In any case, regardless of whether this is by design or not, it is  
> not courteous to your users to distribute tar files where all the  
> files have permissions 0666.  That's not a user-friendly to do.

No, it is user-friendly.  This is like distributing programs who use  
open(..., 0666) when opening globally-readable files.  Programs that  
use open(..., 0644) are considered uncourteous because they  
intentionally ignore your umask.  The only cases where that is  
acceptable is user SSH private key files.  Likewise we store files  
with permissions 0666 in the tar archive so that the user's umask is  
applied to them properly.

o   Do *not* extract kernel trees as root
o   Do *not* build kernel trees as root
o   Do *not* package kernel trees as root
o   Do install kernel packages as root

It's that simple.  Please drop this discussion as it was brought up  
repeatedly on this list and the fairly general consensus is that this  
is not a bug in either the kernel source trees or GIT.

Cheers,
Kyle Moffett

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ