Re: Bug#79620: dpkg-source must handle file permissions
On Fri, Dec 15, 2000 at 09:49:09PM +1100, Herbert Xu wrote:
> Brian May <bam@debian.org> wrote:
> >
> > Unpacking is already a huge security risk. As a simplistic example,
> > unpacking the following package could have serious consequences
> > especially if done by root:
>
> > [682] [snoopy:bam] ~/dangerous >tar -tzvf dangerous_0.0.tar.gz
> > drwxr-xr-x bam/users 0 2000-12-15 17:06:21 dangerous-0.0/
> > lrwxrwxrwx bam/users 0 2000-12-15 17:06:21 dangerous-0.0/etc -> /etc
> > -rw-r--r-- bam/users 465 2000-12-15 17:06:21 dangerous-0.0/etc/nsswitch.conf
> > -rw-r--r-- bam/users 2568 2000-12-15 17:06:21 dangerous-0.0/etc/passwd
> > -rw-r--r-- bam/users 25 2000-12-15 17:06:21 dangerous-0.0/etc/shadow
>
> Try --keep-old-files
Try /etc/nologin, /etc/cron.daily/mailmetherootpassword
--
Colin Phipps http://www.cph.demon.co.uk/
Reply to: