Re: R: Linux kernel source archive vulnerable

[Stefan Richter]

David Wagner wrote:
>     (a) The Linux kernel tar archive contains files with world-writeable
>     permissions.

The group's and others' permissions in the tar archive don't matter.
They have no meaning on the local system. These archives are
distributions of sources and a few scripts --- they are not local archives.

>     (b) There is no need for those files to have world-writeable
>     permissions.  It doesn't serve any particular purpose.

Correction: The group's and others' permissions, regardless how they are
set in the tar archive, don't serve any particular purpose. You should
consequently demand that an archive format is used which does not
transfer group's and others' permissions at all.

>     (c) Some users may get screwed over by virtue of the fact that those
>     files are listed in the tar archive with world-writeable permissions.

Correction: Some users who set a wrong umask when creating files by
extraction from these archives and then attempt to build an own kernel
from that may screw themselves over.

The danger here as that users who handle umask in a wrong way actually
run self-made kernels. _This_ is what you should campaign against first.
-- 
Stefan Richter
-=====-=-==- =--= -==-=
http://arcgraph.de/sr/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/