[Full-disclosure] Re: Linux kernel source archive vulnerable

Hi Jerry,

On Fri, Sep 08, 2006 at 12:06:41PM -0500, Gerald (Jerry) Carter wrote:

So how would you do

make install
make modules_install

Building and install are separate operations.


Really? Both means to do what is standing in the Makefile.
Both is executing the Makefile.

Installation is, btw, more intrusive since it is not limited to the
source directory. So in my eyes there is no point in compiling as
non-root when you install as root then.


The basic problem is that the wrong tool is used. It may sound
strange, but tar is simply the wrong tool: They want to distribute
source files without any assigned file permissions, but use a tape
archive tool which inherently carries uid, gid and permissions with
it. To circumvent the use of the wrong tool, they are using world
writable permissions.

It may sound funny to consider tar as the wrong tool, but it is.




If
you unpack the kernel as non-root, then the versions
of tar I've tested do not preserve the original
permissions but rather apply the current umask.


This makes it even worse. Because if other versions of tar do not show
this behavior (and I learned tar about 20 years ago on Unix) people do
not necessarily expect this behavior and do not have any reason to ask
google about how to use tar.


If you cannot trust the kernel source to compile it as root, how could
you run it with root permissions (i.e. use it as a kernel)?


regards
Hadmut

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Error code 1
    ... What permissions should it have in order ... to perform the make install actions? ... > permission denied on tar is more useful; ... > of FreeBSD, so if you accurately transcribed the error code, you seem ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Dragon Player on kubuntu
    ... It says command not found. ... I assume I have to install tar or find in which folder it is! ... Check for the existence of GNU tar and its permissions on your system ...
    (alt.linux)
  • Re: Moving the /Home Partition, Permission Issues.
    ... rearrange some partitions in preparation. ... permissions as long as you make sure the users keep the same uid. ... If this is a complete new install, is choosing the same user name ... tar in this way is over 5 years ago. ...
    (Ubuntu)
  • Re: More before-the-fact advice for 2K and XP?
    ... neither ActiveX nor BHO require Admin permissions to ... given that non-admins have a significant amount of control over ... "Would you like to install the ... With executable white listing, the app doesn't just ...
    (microsoft.public.security)
  • Re: Creating a Restore Disk Image
    ... told me that I needed to run the Disk Utility by booting from the OS X ... That is true if you are repairing the disk, but repairing permissions is ... supposed to be done while booted from the hard drive, not the install ... anything explaining how to use Repair Permissions. ...
    (comp.sys.mac.system)