Full Disclosure mailing list archives
Re: Linux kernel source archive vulnerable
From: coderpunk <coderpunk () gmail com>
Date: Tue, 12 Sep 2006 09:38:14 -0700
On 9/11/06, Joe Feise <jfeise () feise com> wrote:
coderpunk writes: >> The standard recommendation is to never compile >> the kernel as root. >> >> > > Which obviously doesn't help you when a non-root user edits the > kernel, you compile it as 'jerry' but still have to install it as > 'root'. You're still hosed. Geez, of course not. Unpacking the kernel as non-root honors umask. Problem solved. It would help to 'info tar' before posting...
That assumes a proper umask. The kernel source should not depend on the end user's umask being setup properly. I'm having a hard time understanding why so many people seem to be resistant to setting proper permissions in the kernel tree source. This is the single most important piece of source on a system, it should be as secure as possible before being released. Yes, you can mitigate those risks by doing things as non-root (not everyone does), you can assume a proper umask (not everyone's is), or you can just fix the permissons at the source and the problem goes away. .cp _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: tar alternative, (continued)
- Re: tar alternative Cristi Mitrana (Sep 08)
- Re: Re: tar alternative Tim (Sep 09)
- Re: Re: tar alternative darren kirby (Sep 09)
- Re: Re: tar alternative Tim (Sep 09)
- Re: tar alternative Aaron Gray (Sep 15)
- Re: tar alternative Tim (Sep 20)
- Re: tar alternative Jon Hart (Sep 20)
- Re: tar alternative Tonnerre Lombard (Sep 20)
- Re: Linux kernel source archive vulnerable Joe Feise (Sep 11)
- Re: Linux kernel source archive vulnerable coderpunk (Sep 12)
- Re: Re: Linux kernel source archive vulnerable Chris Umphress (Sep 12)
- Re: Linux kernel source archive vulnerable Schanulleke (Sep 15)
- Re: Linux kernel source archive vulnerable Troy Cregger (Sep 22)