[Top] [All Lists]

Re: Insecure world writable files from XFS 1.0.1 ISO installer

To: Simon Matter <simon.matter@xxxxxxxxxxxxxxxx>
Subject: Re: Insecure world writable files from XFS 1.0.1 ISO installer
From: Steve Lord <lord@xxxxxxx>
Date: Thu, 02 Aug 2001 09:59:48 -0500
Cc: Keith Owens <kaos@xxxxxxxxxxxxxxxxx>, Eric Sandeen <sandeen@xxxxxxx>, linux-xfs <linux-xfs@xxxxxxxxxxx>
In-reply-to: Message from Simon Matter <simon.matter@ch.sauter-bc.com> of "Thu, 02 Aug 2001 16:39:50 +0200." <3B696636.E497C497@ch.sauter-bc.com>
Sender: owner-linux-xfs@xxxxxxxxxxx
> Keith Owens schrieb:
> > 
> > On Thu, 02 Aug 2001 08:49:36 -0500,
> > Eric Sandeen <sandeen@xxxxxxx> wrote:
> > >Simon Matter wrote:
> > >>
> > >> When installing from the ISO RH7.1-SGI-XFS-1.0.1, all system config
> > >> files and directories which are not part of an RPM are installed world
> > >> writeable (mode 666/777).
> > >
> > >Which files, for example?  So this does NOT happen with either stock Red
> > >Hat or XFS 1.0?  Not sure what might be causing this...
> > 
> > Almost certainly the kernel bug introduced somewhere around 2.4.3 and
> > fixed in 2.4.7.  The default umask for kernel threads, including init
> > was incorrectly set to 000.  Stock RedHat init scripts have umask 022
> > at the start which hides the kernel bug.
> So this means that intalling with the 1.0 installer and upgrading to
> 1.0.1 is secure but installing with the 1.0.1 installer will create a
> system with open doors.

The interesting thing is that the initscripts should stay the same, so
I would suspect something running in the kernel at install time is
at fault.

The 1.0.1 install package does not have a redhat equivalent, they did
not respin their iso images when they released a 2.4.3 based kernel rpm,
the only way for a redhat user to get to this configuration was a 7.1
install followed by a kernel rpm upgrade. It seems like we should have
stuck to the same path.

Eric, which kernel is running when the installer is doing it's stuff, it
is possible there is something about this kernel. In the meantime, I am
not sure we should leave the 1.0.1 iso images up on the web site but
recommend people use the 1.0 and then do a kernel upgrade. This means
the installer fixes get lost, but it may be the most prudent path


> -Simon

<Prev in Thread] Current Thread [Next in Thread>