[Full-disclosure] Re: Linux kernel source archive vulnerable

[coderpunk <coderpunk@xxxxxxxxx>]

On 9/11/06, Joe Feise <jfeise@xxxxxxxxx> wrote:
> coderpunk writes:
>
> >> The standard recommendation is to never compile
> >> the kernel as root.
> >>
> >>
> >
> > Which obviously doesn't help you when a non-root user edits the
> > kernel, you compile it as 'jerry' but still have to install it as
> > 'root'. You're still hosed.
>
> Geez, of course not. Unpacking the kernel as non-root honors umask.
> Problem solved.
> It would help to 'info tar' before posting...

That assumes a proper umask. The kernel source should not depend on
the end user's umask being setup properly.

I'm having a hard time understanding why so many people seem to be
resistant to setting proper permissions in the kernel tree source.
This is the single most important piece of source on a system, it
should be as secure as possible before being released.

Yes, you can mitigate those risks by doing things as non-root (not
everyone does), you can assume a proper umask (not everyone's is), or
you can just fix the permissons at the source and the problem goes
away.

.cp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/