Re: Bug#57740: Security: Many files are kept a+w
On Fri, Feb 11, 2000 at 01:21:32PM +0100, Wichert Akkerman wrote:
> (cc'ed to debian-devel so others will not make the same mistake)
> Previously Sven LUTHER wrote:
> > On Fri, Feb 11, 2000 at 01:06:02PM +0100, Wichert Akkerman wrote:
> > > It is a security issue in that users can use it to circumvent diskquota
> > > by storing data inside those world-writeable files.
> > Huh ???
> > Please explain to me how that work, ...
> It's easy to put data in those files, and unless root does explicit checking
> on the content of those files you will never notice it. You effectively
> allow uers to hide arbitrary data on the filesystem.
> > Also heu, ... i could but them read only, but the directory needs to be
> > read/write so that the user can compile stuff in the directory, so this
> > changes nothing, or does it ?
> NO! If a user wants to test an example he should copy it to somewhere
> else and test it there.
> > Maybe yes, because if the user launches a make in this directory, the files
> > created will be created under the user id, and thus included in his quota ? or
> > maybe it don't work so, but then i guess disk quotas are buggy.
> Still bad, /usr is supposed to work read-only as well, and disk quotas
> are done per filesystem so users will generally not have quotas on /usr.
> > like said above, ytou are maybe right. I will move them to being read only,
> > but have the directory /usr/share/doc/mlgtk/examples world writeable, but not
> > until early next week. Is this ok.
> No, *nothing* in there should be writeable.
Ok, so where can i put example programs so that users can play with it quickly
without having to copy them over to their place. Do we need a /home/examples
or somethign such place, and symlink it from /usr/share/doc ?
I think i am not the only one who is having this kind of needs, imagine, i
install this package here ta university, and 200 students copy the files over
to their place, compile them and install them. Sure the files are quite small,