>>>>> On Mon, 22 Sep 2008 16:00:41 -0400, "David Golden" <[EMAIL PROTECTED]> >>>>> said:
> Problem 1: race condition between unarchiving and execution if > Makefile.PL or Build.PL is world writable (ditto test files as well) > (a) Have CPAN and CPANPLUS refuse to run 'perl *.PL' if the PL in > question is world writable. What you say below. > (b) Have CPAN and CPANPLUS not preserve mode permissions even for > root; that's "--no-same-permissions") for tar or $Archive::Tar::CHMOD > = 0 for Archive::Tar. I presume there's a comparable thing for zip > archives. That leaves it up to the users umask setting. I have no experience how much it would break. > (c) Both > (d) Something else I lean toward PAUSE not indexing them thus pulling the plug as early as possible. > (e) Ignore it Even if the communitiy tends to believe this to be irrelevant, I'd say Shlomi is right. There's nothing that allows us to ignore security relevant issues. We have to be paranoid, period. > Personally, I lean towards (b) as that seems relatively sane and > minimally disruptive. > For (a), I worry about edge cases for operating systems that don't > have unixish permissions. E.g. on Win32, an administrative always has > write-permission, even on files set to be read-only. A less > aggressive option than (a) is just to issue warnings about > world-writable files. Sounds good. > For completeness, there's a possible problem 2: An insecure umask can > lead to world-writable files, including not only the unarchived files, > but also Makefile (or Build) and some files in blib [1]: > (a) Ignore this -- insecure umask isn't Perl's problem to worry about > (b) Set an appropriate umask before generating Makefile, Build or > copying things to blib. > For this one, I lean towards (a). So do I. Apart from that, I wonder if and how 'make dist' could let world readable files escape. Or were they built without 'make dist'? There was umask setting code in MakeMaker since the early days. If it isn't anymore, this should be fixed, and if you agree with me, it must be fixed RSN, given PAUSE would refuse to index distros with world readable files. -- andreas
