Effort to reduce this kind of a security "hole" are quite fruitless, so long as I or anyone can build a ./configure that will simply "rm -fr /*"; nevertheless, I do support David's comment:
> 2. A non-root mindset should be encouraged. Indeed, I'd support a case > for a default of "if root then abandon build", but with an override > capability for those (probably few) packages where root may be desirable > or even essential. > Reinforcing this kind of a change in behavior may or may not be within our rights or objectives. It's a personal objective of mine, which I admit may be a soapbox upon which I stand alone. Allan David Lee wrote: > On Sat, 8 Jun 2002, Bernd Jendrissek wrote: > > > On Fri, Jun 07, 2002 at 04:50:23PM -0400, Lawrence Teo wrote: > > > My point is, if config.guess can be hardened against such potential symlink > > > attacks, why shouldn't it be? Of course, it would be great to educate all > > > admins not to build stuff as root. But it would also be a responsible thing > > > to fix config.guess if we know that there's a potential issue in there. > > > > [snip] > > > > > Likewise, having a "hardened" config.guess file would not necessarily > > > prevent symlink attacks, but it'll definitely make it much harder for an > > > attacker to exploit it, even if the admin is sloppy. > > > > An attacker is hardly likely to distribute a "hardened" config.guess > > > > Build untrusted packages as root. Hose your system. Repeat until lesson > > is learned: do not built untrusted packages as root. > > There seems to be a flaw there: assuming that the attacker is the > distributor/provider of the package containing "config.guess". > > But the attacker may well be a third party, exploiting a weakness in the > victim/builder's system as a weak, but innocent, package is installed. > > If there is a weakness in "config.guess" (or anywhere else) that can be > reasonably fixed, shouldn't it be fixed? > > All those of us with experience would agree that, ideally, package > building ought to be non-root. But I can think of at least one bona fide, > trustworthy package, Samba, that, on some platforms, can benefit from > being built as root as autoconf tries to discover something at root level > (from foggy memory, I seem to recall it was a runtime locking mechanism). > > > Summary: > > 1. Attacker and package-provider may well be different parties; > > 1. If there is a weakness, root or otherwise, reasonable attempts should > be made to fix it, regardless of other considerations; > > 2. A non-root mindset should be encouraged. Indeed, I'd support a case > for a default of "if root then abandon build", but with an override > capability for those (probably few) packages where root may be desirable > or even essential. > > -- > > : David Lee I.T. Service : > : Systems Programmer Computer Centre : > : University of Durham : > : http://www.dur.ac.uk/t.d.lee/ South Road : > : Durham : > : Phone: +44 191 374 2882 U.K. :
