| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.61.0609131312130.19571@yvahk01.tjqt.qr> Date: Wed, 13 Sep 2006 13:13:31 +0200 (MEST) From: Jan Engelhardt <jengelh@...ux01.gwdg.de> To: Martin Mares <mj@....cz> cc: David Wagner <daw-usenet@...erner.cs.berkeley.edu>, linux-kernel@...r.kernel.org Subject: Re: R: Linux kernel source archive vulnerable >> In any case, regardless of whether this is by design or not, it is not >> courteous to your users to distribute tar files where all the files have >> permissions 0666. That's not a user-friendly to do. > >I disagree. > >(1) Some systems use per-user groups and create all files group-writeable >by default, i.e., they set the umask to 002. If you want to be user-friendly, >you should respect this setting, so the permissions in the tar archives you >distribute should be 666. > >(2) People extracting random archives as root with preserving permissions >(and owners) are relying on *ALL* archive creators using what they suppose >are the right permissions, which is at least simple-minded, if not completely >silly. If you want to help such users, you should do so by helping them >understand they do a wrong thing and not by hiding the problem in a single >specific case. And for those who -- for whatever reason -- extract kernelballs as root, should go use --no-same-permission. Jan Engelhardt -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists