[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#57740: Security: Many files are kept a+w

(cc'ed to debian-devel so others will not make the same mistake)

Previously Sven LUTHER wrote:
> On Fri, Feb 11, 2000 at 01:06:02PM +0100, Wichert Akkerman wrote:
> > It is a security issue in that users can use it to circumvent diskquota
> > by storing data inside those world-writeable files. 
> Huh ???
> Please explain to me how that work, ...

It's easy to put data in those files, and unless root does explicit checking
on the content of those files you will never notice it. You effectively
allow uers to hide arbitrary data on the filesystem.

> Also heu, ... i could but them read only, but the directory needs to be
> read/write so that the user can compile stuff in the directory, so this
> changes nothing, or does it ?

NO! If a user wants to test an example he should copy it to somewhere
else and test it there.

> Maybe yes, because if the user launches a make in this directory, the files
> created will be created under the user id, and thus included in his quota ? or
> maybe it don't work so, but then i guess disk quotas are buggy.

Still bad, /usr is supposed to work read-only as well, and disk quotas
are done per filesystem so users will generally not have quotas on /usr.

> like said above, ytou are maybe right. I will move them to being read only,
> but have the directory /usr/share/doc/mlgtk/examples world writeable, but not
> until early next week. Is this ok.

No, *nothing* in there should be writeable.


 / Generally uninteresting signature - ignore at your convenience  \
| wichert@liacs.nl                    http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

Reply to: