[Full-disclosure] Re: Linux kernel source archive vulnerable



On Fri, Sep 08, 2006 at 10:55:32AM -0500, Gerald (Jerry) Carter wrote:

It is my understanding that the permissions are
intentionally set that way.


yup, it's not accidently, it set intentionally.

But intention does not imply security.




This hash been discussed several times over the
past year.


Which proves that this is a common problem and not a personal problem
of mine. The more it has been discussed, the less I can understand why
it hadn't been fixed.


http://marc.theaimsgroup.com/?l=linux-kernel&m=114635639325551&w=2
http://marc.theaimsgroup.com/?l=linux-kernel&m=113304241100330&w=2

Yeah, meanwhile I've read several discussions about this easy. What I
learned so far:

- There are plenty of people with security concerns about this.
- There are plenty of other people ignoring these concerns.
- There is not a single good reason to deliver archive files with
world writable permissions. Until now I just found that it is made
intentionally, but no good reason.




The standard recommendation is to never compile
the kernel as root.

So how would you do

make install
make modules_install

then? This recommendation works only for generating kernel packages,
but not for local installation.

If this was a standard recommendation, why has the Makefile the
install and modules_install clause at all?


And if this is a standard recommendation, it is not sufficiently
published. If it were, the Makefile itself would tell you

"Don't call me as root"

But the Makefile doesn't.


regards
Hadmut





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages