subject:"Re\: \[RFC\] Dealing with World\-writable Files in the Archive of CPAN Distributions"

Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions

2008-11-13 Thread demerphq

2008/9/30 Andreas J. Koenig [EMAIL PROTECTED]:
 On Tue, 23 Sep 2008 11:40:09 +0200, Jos I. Boumans [EMAIL PROTECTED] 
 said:

   And so I have implemented it now. If it breaks too much in too short
   time, we could probably revert it, but first I'd like to see how bad
   we really do.

   I agree to this (first) solution; this will give us a good idea about
   the
   scope of the problem.

 I have watched the indexer for a week now. The scope is more than two
 uploads per day. These uploads got an email about world writable files
 or directories. I looked up their CPAN directories right now and based
 on the findings I have added the third column.

 23-Sep  SEMUELF/Data-ParseBinary-0.07.tar.gzfixed
 26-Sep  GFUJI/warnings-unused-0.02.tar.gz   not fixed
 26-Sep  STEFFENW/DBD-PO-0.10.tar.gz not fixed
 26-Sep  STEFFENW/Bundle-DBD-PO-0.10.tar.gz  not fixed
 26-Sep  AJDIXON/daemonise-1.0.tar.gznot fixed
 26-Sep  RPHANEY/openStatisticalServices-0.015.tar.gzfixed
 26-Sep  RPHANEY/openStatisticalServices-0.018.tar.gzfixed
 27-Sep  COSIMO/Imager-SkinDetector-0.01.tar.gz  fixed
 27-Sep  FAYLAND/Pod-From-GoogleWiki-0.06.tar.gz fixed
 28-Sep  DANNY/Rose-DBx-Object-Renderer-0.34.tar.gz  not fixed
 28-Sep  MTHURN/WWW-Search-Ebay-2.244.tar.gz fixed
 28-Sep  JSTROM/Tk-TextVi-0.014.tar.gz   not fixed
 28-Sep  JSTROM/Tk-TextVi-0.0141.tar.gz  not fixed
 29-Sep  MATTN/Net-Kotonoha-0.07.tar.gz  fixed
 29-Sep  MTHURN/WWW-Search-Ebay-Europe-2.002.tar.gz  fixed
 29-Sep  ANGERSTEI/Net-Ping-Network-1.57.tar.gz  not fixed
 29-Sep  RPHANEY/openStatisticalServices-0.019.tar.gzfixed

 Congratulations to all authors who managed to fix their distros.
 I *you* are among them, please spread the word how you did it.

I fixed the issue for ExtUtils::Install by changing my windows
permissions to be me only instead of Everyone. Also unclicked the
inherit permissions from parent object and used the advanced tab to
propagate the permissions to all children. No doubt I could have done
it with a command line tool, but I couldnt remember what it was
called.

Switching to CREATOR OWNER didnt work, nor did CREATOR GROUP.

Yves.


-- 
perl -Mre=debug -e /just|another|perl|hacker/

Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions

2008-09-29 Thread Andreas J. Koenig

 On Tue, 23 Sep 2008 11:40:09 +0200, Jos I. Boumans [EMAIL PROTECTED] 
 said:

  And so I have implemented it now. If it breaks too much in too short
  time, we could probably revert it, but first I'd like to see how bad
  we really do.

   I agree to this (first) solution; this will give us a good idea about
   the
   scope of the problem.

I have watched the indexer for a week now. The scope is more than two
uploads per day. These uploads got an email about world writable files
or directories. I looked up their CPAN directories right now and based
on the findings I have added the third column.

23-Sep  SEMUELF/Data-ParseBinary-0.07.tar.gzfixed
26-Sep  GFUJI/warnings-unused-0.02.tar.gz   not fixed
26-Sep  STEFFENW/DBD-PO-0.10.tar.gz not fixed
26-Sep  STEFFENW/Bundle-DBD-PO-0.10.tar.gz  not fixed
26-Sep  AJDIXON/daemonise-1.0.tar.gznot fixed
26-Sep  RPHANEY/openStatisticalServices-0.015.tar.gzfixed
26-Sep  RPHANEY/openStatisticalServices-0.018.tar.gzfixed
27-Sep  COSIMO/Imager-SkinDetector-0.01.tar.gz  fixed
27-Sep  FAYLAND/Pod-From-GoogleWiki-0.06.tar.gz fixed
28-Sep  DANNY/Rose-DBx-Object-Renderer-0.34.tar.gz  not fixed
28-Sep  MTHURN/WWW-Search-Ebay-2.244.tar.gz fixed
28-Sep  JSTROM/Tk-TextVi-0.014.tar.gz   not fixed
28-Sep  JSTROM/Tk-TextVi-0.0141.tar.gz  not fixed
29-Sep  MATTN/Net-Kotonoha-0.07.tar.gz  fixed
29-Sep  MTHURN/WWW-Search-Ebay-Europe-2.002.tar.gz  fixed
29-Sep  ANGERSTEI/Net-Ping-Network-1.57.tar.gz  not fixed
29-Sep  RPHANEY/openStatisticalServices-0.019.tar.gzfixed

Congratulations to all authors who managed to fix their distros.
I *you* are among them, please spread the word how you did it.

I expect that the third column is already wrong when you read this.

Good night,
-- 
andreas

Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions

2008-09-22 Thread Eric Wilhelm

# from Ken Williams
# on Monday 22 September 2008 13:45:

 (a) Have CPAN and CPANPLUS refuse to run 'perl *.PL' if the PL in
 question is world writable.

That wouldn't completely solve the problem, since someone could
quickly rewrite *.PL and change it to non-writable status.  Note that
a world-writable top-level directory also has the same problem (or in
some cases, only one or the other situation has the problem).

Would that tracks-covering chmod not require *ownership* of the file?

# from David Golden on Monday 22 September 2008 13:00:
(b) Have CPAN and CPANPLUS not preserve mode permissions even for
root; that's --no-same-permissions) for tar or $Archive::Tar::CHMOD
 = 0 for Archive::Tar.  I presume there's a comparable thing for zip
archives.  That leaves it up to the users umask setting.

Yes.  Would someone please explain to me how this issue is not already 
made a mostly non-issue by having a proper umask and running CPAN as 
non-root?

Thanks,
Eric
-- 
Time flies like an arrow, but fruit flies like a banana.
--Groucho Marx
---
http://scratchcomputing.com
---

Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions

2008-09-22 Thread Ken Williams

On Mon, Sep 22, 2008 at 5:23 PM, Eric Wilhelm
[EMAIL PROTECTED] wrote:

 Would that tracks-covering chmod not require *ownership* of the file?

According to the man page for chmod(1), yes, but on Win32 doesn't a
world-writable file mean it's world-replaceable too?

In any case, I was also trying to point out that if the top-level
directory is expanded as world-writable, then any file therein (e.g.
Build.PL) is world-replaceable.  So that's just another thing to check
for.

 -Ken

Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions

2008-09-22 Thread David Golden

On Mon, Sep 22, 2008 at 6:23 PM, Eric Wilhelm
[EMAIL PROTECTED] wrote:
 Yes.  Would someone please explain to me how this issue is not already
 made a mostly non-issue by having a proper umask and running CPAN as
 non-root?

Someone in the thread (sorry, forget who and I'm not going to search
for it) gave the example that access to Makefile.PL allows arbitrary
additions to the Makefile install target that a non-root user might
well run with sudo make install -- thus a Makefile.PL compromise
could be used to execute arbitrary code as root.

I'm not saying it's a big threat.  Risk level is the combination of
likelihood of an event and the severity of the event and the first is
low.

Nevertheless, stopping archive extraction from creating world-readable
files is probably a good idea.

-- David

Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions

Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions

Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions

Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions

Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions

5 matches

Site Navigation

Mail list logo

Footer information