Hi all. Today, after I invoked my CPAN smoker for a while, I received another msec (Mandriva Security) report with many world-writable files in the CPAN distributions that were left unpacked under /home/cpan/.cpanplus . Among the gems there are:
{{{{ /home/cpan/.cpanplus/5.10.0/build/Data-Dump-Streamer-2.08-40/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Digest-JHash-0.05/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Getopt-ArgvFile-1.11/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/HTML-Scrubber-0.08/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Kephra-0.3.10.11/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Readonly-1.03/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/OOTools-2.21/Makefile.PL }}}} As I noted here - http://rt.cpan.org/Ticket/Display.html?id=39481 : {{{{{{{{{{{{ > * Why exactly are you reporting this? > Because msec reports it after I'm smoking CPAN. > * What is the problem with world writeable files in a distro? Let's suppose Makefile.PL is world-writable. While the distro is being unpacked, a malicious user writes something like: {{{ system('rm -fr $HOME'); }}} to it, and after you come to the "perl Makefile.PL" stage - you lose your home-directory. ;-) In any case, Mandriva's msec warns about them, which bothers me. > > * What is your proposed remedy? Make sure none of the files in the archive are world-writable. }}}}}}}}}}}}}}} My suggestion for resolving this is to modify the smoking modules so, after the archive is unpacked (with a proper umask and arguments to tar), they will traverse the directory tree and look for any world-writable files. If any are found, they will report the smoking of the module as "FAIL", and delete the unpacked directory tree, without doing the "perl Makefile.PL/Build.PL ..." dance. We could give an option for doing this, if it bothers you. But I'm tired of finding these files in the msec report and reporting them manually. Now I volunteer to implement this. Regards, Shlomi Fish ----------------------------------------------------------------- Shlomi Fish http://www.shlomifish.org/ What Makes Software Apps High Quality - http://xrl.us/bkeuk Shlomi, so what are you working on? Working on a new wiki about unit testing fortunes in freecell? -- Ran Eilam