xfs
[Top] [All Lists]

Re: Insecure world writable files from XFS 1.0.1 ISO installer

To: Eric Sandeen <sandeen@xxxxxxx>
Subject: Re: Insecure world writable files from XFS 1.0.1 ISO installer
From: Simon Matter <simon.matter@xxxxxxxxxxxxxxxx>
Date: Thu, 02 Aug 2001 17:31:10 +0200
>received: from mobile.sauter-bc.com (unknown [10.1.6.21]) by basel1.sauter-bc.com (Postfix) with ESMTP id E077F57306; Thu, 2 Aug 2001 17:31:10 +0200 (CEST)
Cc: Steve Lord <lord@xxxxxxx>, Keith Owens <kaos@xxxxxxxxxxxxxxxxx>, linux-xfs <linux-xfs@xxxxxxxxxxx>
Organization: Sauter AG, Basel
References: <200108021459.f72ExmB06735@jen.americas.sgi.com> <996765146.16847.3.camel@stout.americas.sgi.com>
Sender: owner-linux-xfs@xxxxxxxxxxx
Eric Sandeen schrieb:
> 
> On 02 Aug 2001 09:59:48 -0500, Steve Lord wrote:
> 
> > The 1.0.1 install package does not have a redhat equivalent, they did
> > not respin their iso images when they released a 2.4.3 based kernel rpm,
> > the only way for a redhat user to get to this configuration was a 7.1
> > install followed by a kernel rpm upgrade. It seems like we should have
> > stuck to the same path.
> 
> Ah, hindsight is great, isn't it?  :(
> 
> > Eric, which kernel is running when the installer is doing it's stuff, it
> > is possible there is something about this kernel. In the meantime, I am
> > not sure we should leave the 1.0.1 iso images up on the web site but
> > recommend people use the 1.0 and then do a kernel upgrade. This means
> > the installer fixes get lost, but it may be the most prudent path
> > here.
> 
> The Red Hat 2.4.3 + XFS kernel is running at install time, so I guess
> that's where this problem comes from.  Hm, might be time to come up with

/etc/rc.d/init.d/functions keeps umask sane at 022 but when booting with
linux init=/bin/sh the umask is 000. I'm not an expert but I guess this
is the dangerous 'feature' :(

> a script to fix this up, and a "warning" email to users...  Darn.
> 
> I could do a 1.0.1a kernel with this bug fixed, and respin the
> installer, too, I suppose.

If you're doing so, could you please include my modified RPM's:

My previous mail:
http://oss.sgi.com/projects/xfs/mail_archive/0107/msg01211.html

RPM's:
http://home.datacomm.ch/~simix/XFS/

> 
> -Eric
> 
> --
> Eric Sandeen      XFS for Linux     http://oss.sgi.com/projects/xfs
> sandeen@xxxxxxx   SGI, Inc.



<Prev in Thread] Current Thread [Next in Thread>