Re: Bug#57740: Security: Many files are kept a+w

To: Wichert Akkerman <wichert@cistron.nl>
Cc: 57740@bugs.debian.org, Scott A Crosby <crosby@qwes.math.cmu.edu>, debian-devel@lists.debian.org
Subject: Re: Bug#57740: Security: Many files are kept a+w
From: Sven LUTHER <luther@dpt-info.u-strasbg.fr>
Date: Fri, 11 Feb 2000 13:28:26 +0100
Message-id: <20000211132826.A4431@dpt-info.u-strasbg.fr>
Mail-followup-to: Wichert Akkerman <wichert@cistron.nl>, 57740@bugs.debian.org, Scott A Crosby <crosby@qwes.math.cmu.edu>, debian-devel@lists.debian.org
Reply-to: luther@dpt-info.u-strasbg.fr
In-reply-to: <20000211132132.F17638@liacs.nl>; from wichert@cistron.nl on Fri, Feb 11, 2000 at 01:21:32PM +0100
References: <Pine.LNX.4.10.10002101237110.140-100000@qwe4.math.cmu.edu> <20000211125919.A4174@dpt-info.u-strasbg.fr> <20000211130602.B27546@cistron.nl> <20000211131525.A4294@dpt-info.u-strasbg.fr> <20000211132132.F17638@liacs.nl>

On Fri, Feb 11, 2000 at 01:21:32PM +0100, Wichert Akkerman wrote:
> 
> (cc'ed to debian-devel so others will not make the same mistake)
> 
> Previously Sven LUTHER wrote:
> > On Fri, Feb 11, 2000 at 01:06:02PM +0100, Wichert Akkerman wrote:
> > > It is a security issue in that users can use it to circumvent diskquota
> > > by storing data inside those world-writeable files. 
> > 
> > Huh ???
> > 
> > Please explain to me how that work, ...
> 
> It's easy to put data in those files, and unless root does explicit checking
> on the content of those files you will never notice it. You effectively
> allow uers to hide arbitrary data on the filesystem.
> 
> > Also heu, ... i could but them read only, but the directory needs to be
> > read/write so that the user can compile stuff in the directory, so this
> > changes nothing, or does it ?
> 
> NO! If a user wants to test an example he should copy it to somewhere
> else and test it there.
> 
> > Maybe yes, because if the user launches a make in this directory, the files
> > created will be created under the user id, and thus included in his quota ? or
> > maybe it don't work so, but then i guess disk quotas are buggy.
> 
> Still bad, /usr is supposed to work read-only as well, and disk quotas
> are done per filesystem so users will generally not have quotas on /usr.
> 
> > like said above, ytou are maybe right. I will move them to being read only,
> > but have the directory /usr/share/doc/mlgtk/examples world writeable, but not
> > until early next week. Is this ok.
> 
> No, *nothing* in there should be writeable.

Ok, so where can i put example programs so that users can play with it quickly
without having to copy them over to their place. Do we need a /home/examples
or somethign such place, and symlink it from /usr/share/doc ?

I think i am not the only one who is having this kind of needs, imagine, i
install this package here ta university, and 200 students copy the files over
to their place, compile them and install them. Sure the files are quite small,
but still.

Friendly,

Sven LUTHER

Reply to:

Follow-Ups:
- Re: Bug#57740: Security: Many files are kept a+w
  - From: Wichert Akkerman <wichert@cistron.nl>
- Re: Bug#57740: Security: Many files are kept a+w
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: Bug#57740: Security: Many files are kept a+w
  - From: Jacob Kuntz <jpk@cape.com>
- Re: Bug#57740: Security: Many files are kept a+w
  - From: John Goerzen <jgoerzen@complete.org>
- Re: Bug#57740: Security: Many files are kept a+w
  - From: Joey Hess <joeyh@debian.org>

References:
- Re: Bug#57740: Security: Many files are kept a+w
  - From: Wichert Akkerman <wichert@cistron.nl>

Prev by Date: Re: Bug#57740: Security: Many files are kept a+w
Next by Date: Re: Bug#57740: Security: Many files are kept a+w
Previous by thread: Re: Bug#57740: Security: Many files are kept a+w
Next by thread: Re: Bug#57740: Security: Many files are kept a+w
Index(es):
- Date
- Thread