[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Insecure world writable files from XFS 1.0.1 ISO installer
Eric Sandeen schrieb:
>
> Simon Matter wrote:
> >
> > When installing from the ISO RH7.1-SGI-XFS-1.0.1, all system config
> > files and directories which are not part of an RPM are installed world
> > writeable (mode 666/777).
>
> Which files, for example? So this does NOT happen with either stock Red
> Hat or XFS 1.0? Not sure what might be causing this...
Sorry for not providing more information.
It does NOT happen with XFS 1.0 release. I guess it also does not occur
with stock RH installer.
My dirty find script looks like that:
#!/bin/sh
find . -type f -o -type d | while read xxx; do
rpm -qf $xxx > /dev/null
RETVAL=$?
if [ $RETVAL -gt 0 ]; then
find $xxx -perm -022 -exec ls -lad {} \;
fi
done
when run in /etc it gives something like:
[root@ga-www /etc]# /root/checkit.2
drwxrwxrwx 8 root root 4096 Aug 2 15:35 ./sysconfig
lrwxrwxrwx 1 root root 20 Jul 31 14:34
./sysconfig/network-scripts/ifdown -> ../../../sbin/ifdown
lrwxrwxrwx 1 root root 18 Jul 31 14:34
./sysconfig/network-scripts/ifup -> ../../../sbin/ifup
-rw-rw-rw- 1 root root 74 Jul 31 14:35 ./sysconfig/i18n
-rw-rw-rw- 1 root root 90 Jul 31 14:35
./sysconfig/mouse
-rw-rw-rw- 1 root root 32 Jul 31 14:35
./sysconfig/keyboard
-rw-rw-rw- 1 root root 40 Jul 31 14:35
./sysconfig/clock
-rw-rw-rw- 1 root root 11 Jul 31 14:35
./sysconfig/desktop
-rw-rw-rw- 1 root root 38 Jul 31 14:35
./sysconfig/pcmcia
-rw-rw-rw- 1 root root 2150 Aug 2 16:52
./sysconfig/hwconf
-rw-rw-rw- 1 root root 58 Jul 31 15:07
./sysconfig/network
-rw-rw-rw- 1 root root 74 Jul 31 14:35 ./sysconfig/i18n
-rw-rw-rw- 1 root root 90 Jul 31 14:35
./sysconfig/mouse
-rw-rw-rw- 1 root root 32 Jul 31 14:35
./sysconfig/keyboard
-rw-rw-rw- 1 root root 40 Jul 31 14:35
./sysconfig/clock
-rw-rw-rw- 1 root root 11 Jul 31 14:35
./sysconfig/desktop
-rw-rw-rw- 1 root root 38 Jul 31 14:35
./sysconfig/pcmcia
-rw-rw-rw- 1 root root 2150 Aug 2 16:52
./sysconfig/hwconf
-rw-rw-rw- 1 root root 58 Jul 31 15:07
./sysconfig/network
-rw-rw-rw- 1 root root 16342 Jul 31 14:35 ./X11/XF86Config
-rw-rw-rw- 1 root root 3698 Jul 31 14:35
./X11/XF86Config-4
-rw-rw-rw- 1 root root 66 Jul 31 14:33 ./shells
-rw-rw-rw- 1 root root 221 Jul 31 14:34
./sgml/sgml-docbook-3.0.cat
-rw-rw-rw- 1 root root 156 Jul 31 14:34 ./sgml/catalog
-rw-rw-rw- 1 root root 221 Jul 31 14:34
./sgml/sgml-docbook-3.1.cat
-rw-rw-rw- 1 root root 221 Jul 31 14:34
./sgml/sgml-docbook-4.0.cat
-rw-rw-rw- 1 root root 221 Jul 31 14:34
./sgml/sgml-docbook-4.1.cat
lrwxrwxrwx 1 root root 30 Jul 31 14:34
./sgml/sgml-docbook.cat -> /etc/sgml/sgml-docbook-4.1.cat-rw-rw-rw- 1
root root 221 Jul 31 14:34 ./sgml/sgml-docbook-3.0.cat
-rw-rw-rw- 1 root root 156 Jul 31 14:34 ./sgml/catalog
-rw-rw-rw- 1 root root 221 Jul 31 14:34
./sgml/sgml-docbook-3.1.cat
-rw-rw-rw- 1 root root 221 Jul 31 14:34
./sgml/sgml-docbook-4.0.cat
-rw-rw-rw- 1 root root 221 Jul 31 14:34
./sgml/sgml-docbook-4.1.cat
-rw-rw-rw- 1 root root 15 Jul 31 14:35 ./resolv.conf
-rw-rw-rw- 1 root root 238 Aug 2 12:07 ./hosts
What a nice toy for the kiddies :-)
There was an earlier thread on this list and Keith Owens said:
> Which kernel? There was a kernel bug from 2.4.3-pre5 until 2.4.7-pre7
> where the initscripts ran with umask 000 instead of 022, that would
> give the effect above. It is fixed in the XFS CVS tree because that is
> at 2.4.7, but the old releases might be bitten by this kernel bug.
Hope this helps.
>
> -Eric
>
> --
> Eric Sandeen XFS for Linux http://oss.sgi.com/projects/xfs
> sandeen@sgi.com SGI, Inc.
--
Simon Matter Tel: +41 61 695 57 35
Fr.Sauter AG / CIT Fax: +41 61 695 53 30
Im Surinam 55
CH-4016 Basel [mailto:simon.matter@ch.sauter-bc.com]