Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions
2008/9/30 Andreas J. Koenig [EMAIL PROTECTED]: On Tue, 23 Sep 2008 11:40:09 +0200, Jos I. Boumans [EMAIL PROTECTED] said: And so I have implemented it now. If it breaks too much in too short time, we could probably revert it, but first I'd like to see how bad we really do. I agree to this (first) solution; this will give us a good idea about the scope of the problem. I have watched the indexer for a week now. The scope is more than two uploads per day. These uploads got an email about world writable files or directories. I looked up their CPAN directories right now and based on the findings I have added the third column. 23-Sep SEMUELF/Data-ParseBinary-0.07.tar.gzfixed 26-Sep GFUJI/warnings-unused-0.02.tar.gz not fixed 26-Sep STEFFENW/DBD-PO-0.10.tar.gz not fixed 26-Sep STEFFENW/Bundle-DBD-PO-0.10.tar.gz not fixed 26-Sep AJDIXON/daemonise-1.0.tar.gznot fixed 26-Sep RPHANEY/openStatisticalServices-0.015.tar.gzfixed 26-Sep RPHANEY/openStatisticalServices-0.018.tar.gzfixed 27-Sep COSIMO/Imager-SkinDetector-0.01.tar.gz fixed 27-Sep FAYLAND/Pod-From-GoogleWiki-0.06.tar.gz fixed 28-Sep DANNY/Rose-DBx-Object-Renderer-0.34.tar.gz not fixed 28-Sep MTHURN/WWW-Search-Ebay-2.244.tar.gz fixed 28-Sep JSTROM/Tk-TextVi-0.014.tar.gz not fixed 28-Sep JSTROM/Tk-TextVi-0.0141.tar.gz not fixed 29-Sep MATTN/Net-Kotonoha-0.07.tar.gz fixed 29-Sep MTHURN/WWW-Search-Ebay-Europe-2.002.tar.gz fixed 29-Sep ANGERSTEI/Net-Ping-Network-1.57.tar.gz not fixed 29-Sep RPHANEY/openStatisticalServices-0.019.tar.gzfixed Congratulations to all authors who managed to fix their distros. I *you* are among them, please spread the word how you did it. I fixed the issue for ExtUtils::Install by changing my windows permissions to be me only instead of Everyone. Also unclicked the inherit permissions from parent object and used the advanced tab to propagate the permissions to all children. No doubt I could have done it with a command line tool, but I couldnt remember what it was called. Switching to CREATOR OWNER didnt work, nor did CREATOR GROUP. Yves. -- perl -Mre=debug -e /just|another|perl|hacker/
Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions
On Tue, 23 Sep 2008 11:40:09 +0200, Jos I. Boumans [EMAIL PROTECTED] said: And so I have implemented it now. If it breaks too much in too short time, we could probably revert it, but first I'd like to see how bad we really do. I agree to this (first) solution; this will give us a good idea about the scope of the problem. I have watched the indexer for a week now. The scope is more than two uploads per day. These uploads got an email about world writable files or directories. I looked up their CPAN directories right now and based on the findings I have added the third column. 23-Sep SEMUELF/Data-ParseBinary-0.07.tar.gzfixed 26-Sep GFUJI/warnings-unused-0.02.tar.gz not fixed 26-Sep STEFFENW/DBD-PO-0.10.tar.gz not fixed 26-Sep STEFFENW/Bundle-DBD-PO-0.10.tar.gz not fixed 26-Sep AJDIXON/daemonise-1.0.tar.gznot fixed 26-Sep RPHANEY/openStatisticalServices-0.015.tar.gzfixed 26-Sep RPHANEY/openStatisticalServices-0.018.tar.gzfixed 27-Sep COSIMO/Imager-SkinDetector-0.01.tar.gz fixed 27-Sep FAYLAND/Pod-From-GoogleWiki-0.06.tar.gz fixed 28-Sep DANNY/Rose-DBx-Object-Renderer-0.34.tar.gz not fixed 28-Sep MTHURN/WWW-Search-Ebay-2.244.tar.gz fixed 28-Sep JSTROM/Tk-TextVi-0.014.tar.gz not fixed 28-Sep JSTROM/Tk-TextVi-0.0141.tar.gz not fixed 29-Sep MATTN/Net-Kotonoha-0.07.tar.gz fixed 29-Sep MTHURN/WWW-Search-Ebay-Europe-2.002.tar.gz fixed 29-Sep ANGERSTEI/Net-Ping-Network-1.57.tar.gz not fixed 29-Sep RPHANEY/openStatisticalServices-0.019.tar.gzfixed Congratulations to all authors who managed to fix their distros. I *you* are among them, please spread the word how you did it. I expect that the third column is already wrong when you read this. Good night, -- andreas
Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions
# from Ken Williams # on Monday 22 September 2008 13:45: (a) Have CPAN and CPANPLUS refuse to run 'perl *.PL' if the PL in question is world writable. That wouldn't completely solve the problem, since someone could quickly rewrite *.PL and change it to non-writable status. Note that a world-writable top-level directory also has the same problem (or in some cases, only one or the other situation has the problem). Would that tracks-covering chmod not require *ownership* of the file? # from David Golden on Monday 22 September 2008 13:00: (b) Have CPAN and CPANPLUS not preserve mode permissions even for root; that's --no-same-permissions) for tar or $Archive::Tar::CHMOD = 0 for Archive::Tar. I presume there's a comparable thing for zip archives. That leaves it up to the users umask setting. Yes. Would someone please explain to me how this issue is not already made a mostly non-issue by having a proper umask and running CPAN as non-root? Thanks, Eric -- Time flies like an arrow, but fruit flies like a banana. --Groucho Marx --- http://scratchcomputing.com ---
Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions
On Mon, Sep 22, 2008 at 5:23 PM, Eric Wilhelm [EMAIL PROTECTED] wrote: Would that tracks-covering chmod not require *ownership* of the file? According to the man page for chmod(1), yes, but on Win32 doesn't a world-writable file mean it's world-replaceable too? In any case, I was also trying to point out that if the top-level directory is expanded as world-writable, then any file therein (e.g. Build.PL) is world-replaceable. So that's just another thing to check for. -Ken
Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions
On Mon, Sep 22, 2008 at 6:23 PM, Eric Wilhelm [EMAIL PROTECTED] wrote: Yes. Would someone please explain to me how this issue is not already made a mostly non-issue by having a proper umask and running CPAN as non-root? Someone in the thread (sorry, forget who and I'm not going to search for it) gave the example that access to Makefile.PL allows arbitrary additions to the Makefile install target that a non-root user might well run with sudo make install -- thus a Makefile.PL compromise could be used to execute arbitrary code as root. I'm not saying it's a big threat. Risk level is the combination of likelihood of an event and the severity of the event and the first is low. Nevertheless, stopping archive extraction from creating world-readable files is probably a good idea. -- David