Full Disclosure mailing list archives
Re: Linux kernel source archive vulnerable
From: hadmut () danisch de (Hadmut Danisch)
Date: Fri, 8 Sep 2006 18:18:46 +0200
On Fri, Sep 08, 2006 at 10:55:32AM -0500, Gerald (Jerry) Carter wrote:
It is my understanding that the permissions are intentionally set that way.
yup, it's not accidently, it set intentionally. But intention does not imply security.
This hash been discussed several times over the past year.
Which proves that this is a common problem and not a personal problem of mine. The more it has been discussed, the less I can understand why it hadn't been fixed.
http://marc.theaimsgroup.com/?l=linux-kernel&m=114635639325551&w=2 http://marc.theaimsgroup.com/?l=linux-kernel&m=113304241100330&w=2
Yeah, meanwhile I've read several discussions about this easy. What I learned so far: - There are plenty of people with security concerns about this. - There are plenty of other people ignoring these concerns. - There is not a single good reason to deliver archive files with world writable permissions. Until now I just found that it is made intentionally, but no good reason.
The standard recommendation is to never compile the kernel as root.
So how would you do make install make modules_install then? This recommendation works only for generating kernel packages, but not for local installation. If this was a standard recommendation, why has the Makefile the install and modules_install clause at all? And if this is a standard recommendation, it is not sufficiently published. If it were, the Makefile itself would tell you "Don't call me as root" But the Makefile doesn't. regards Hadmut _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Linux kernel source archive vulnerable, (continued)
- Re: Linux kernel source archive vulnerable Troy Cregger (Sep 07)
- Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 08)
- Re: Linux kernel source archive vulnerable FRLinux (Sep 08)
- Re: Linux kernel source archive vulnerable Lee Ball (Sep 08)
- Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 08)
- Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 08)
- Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 08)
- Re: Linux kernel source archive vulnerable Gerald (Jerry) Carter (Sep 08)
- Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 08)
- Re: Linux kernel source archive vulnerable Gerald (Jerry) Carter (Sep 08)
- Re: Linux kernel source archive vulnerable Hadmut Danisch (Sep 08)
- Re: Re: Linux kernel source archive vulnerable Michael Gale (Sep 08)
- Re: Re: Linux kernel source archive vulnerable Valdis . Kletnieks (Sep 09)
- Re: Linux kernel source archive vulnerable Ron (Sep 24)