Andrew Suffield wrote:
> On Tue, Jan 22, 2002 at 11:42:49AM +, Colin Phipps wrote:
> > On Tue, Jan 22, 2002 at 01:59:44AM +0100, Christian Jaeger wrote:
> > > I just wanted to point it out here, since I wasn't sure whether I
> > > should file a bug report against fakeroot for writing suid thro
On Tue, Jan 22, 2002 at 11:42:49AM +, Colin Phipps wrote:
> On Tue, Jan 22, 2002 at 01:59:44AM +0100, Christian Jaeger wrote:
> > I just wanted to point it out here, since I wasn't sure whether I
> > should file a bug report against fakeroot for writing suid through,
>
> I consider it a bug;
On Tue, Jan 22, 2002 at 01:59:44AM +0100, Christian Jaeger wrote:
> I just wanted to point it out here, since I wasn't sure whether I
> should file a bug report against fakeroot for writing suid through,
I consider it a bug; it's introducing a third permissions+ownership
state that was requested
On Tuesday, 2002-01-22 at 01:11:18 +0100, Christian Jaeger wrote:
> (BTW a somewhat similar problem (but not debian specific) exists with
> the perl CPAN module build process: -MCPAN is designed to work as
> root. It downloads the tarball, extracts it (with the user/group that
> the author pack
On Tue, Jan 22, 2002 at 11:42:49AM +, Colin Phipps wrote:
> On Tue, Jan 22, 2002 at 01:59:44AM +0100, Christian Jaeger wrote:
> > I just wanted to point it out here, since I wasn't sure whether I
> > should file a bug report against fakeroot for writing suid through,
>
> I consider it a bug
On Tue, Jan 22, 2002 at 01:59:44AM +0100, Christian Jaeger wrote:
> I just wanted to point it out here, since I wasn't sure whether I
> should file a bug report against fakeroot for writing suid through,
I consider it a bug; it's introducing a third permissions+ownership
state that was requeste
On Tuesday, 2002-01-22 at 01:11:18 +0100, Christian Jaeger wrote:
> (BTW a somewhat similar problem (but not debian specific) exists with
> the perl CPAN module build process: -MCPAN is designed to work as
> root. It downloads the tarball, extracts it (with the user/group that
> the author pac
On Tue, Jan 22, 2002 at 01:11:18AM +0100, Christian Jaeger wrote:
> This can be a real security hole, at least when you are not aware of
> it (I have just discovered a working way to exploit it on one of my
> machines).
And isn't that a bug in the package in question? :)
--
Daniel Jacobowitz
For the non-mathmatical, or rather gramatical, style to say it, I use the
phrase:
"Security is Inconvenient."
The first time I say it to someone, they usually pause for a moment, digest it,
and it really helps in further discussions about "what to do about...".
It's my answer, for instance, wh
yes, that's UNIX life. convenience ~ security^-1,
I just wanted to point it out here, since I wasn't sure whether I
should file a bug report against fakeroot for writing suid through,
or one for the fakeroot manpage not mentioning the danger, or one for
dpkg-buildpackage either for not mentio
also sprach Christian Jaeger <[EMAIL PROTECTED]> [2002.01.22.0129 +0100]:
> They were accessible, because I didn't realize that there was a risk,
> and because it's convenient when other users on the system can grab
> the finished .deb's from the build dir (to install them on their
> machine) wi
At 1:19 Uhr +0100 22.01.2002, martin f krafft wrote:
why are your build directories accessible to the world? a simple
chmod 0700 ~/deb/build fixes all these problems for me, and
persistently...
They were accessible, because I didn't realize that there was a risk,
and because it's convenient wh
also sprach Christian Jaeger <[EMAIL PROTECTED]> [2002.01.22.0111 +0100]:
> Now you may say "don't build packages as root, use fakeroot instead".
> Well I have always used it, and somehow thought I'm safe, but I'm
> not: the permissions modes (like 4755) make it through to the real
> filesystem,
On Tue, Jan 22, 2002 at 01:11:18AM +0100, Christian Jaeger wrote:
> This can be a real security hole, at least when you are not aware of
> it (I have just discovered a working way to exploit it on one of my
> machines).
And isn't that a bug in the package in question? :)
--
Daniel Jacobowitz
For the non-mathmatical, or rather gramatical, style to say it, I use the phrase:
"Security is Inconvenient."
The first time I say it to someone, they usually pause for a moment, digest it, and it
really helps in further discussions about "what to do about...".
It's my answer, for instance, wh
>yes, that's UNIX life. convenience ~ security^-1,
I just wanted to point it out here, since I wasn't sure whether I
should file a bug report against fakeroot for writing suid through,
or one for the fakeroot manpage not mentioning the danger, or one for
dpkg-buildpackage either for not mentio
also sprach Christian Jaeger <[EMAIL PROTECTED]> [2002.01.22.0129 +0100]:
> They were accessible, because I didn't realize that there was a risk,
> and because it's convenient when other users on the system can grab
> the finished .deb's from the build dir (to install them on their
> machine) w
At 1:19 Uhr +0100 22.01.2002, martin f krafft wrote:
>why are your build directories accessible to the world? a simple
>chmod 0700 ~/deb/build fixes all these problems for me, and
>persistently...
They were accessible, because I didn't realize that there was a risk,
and because it's convenient w
also sprach Christian Jaeger <[EMAIL PROTECTED]> [2002.01.22.0111 +0100]:
> Now you may say "don't build packages as root, use fakeroot instead".
> Well I have always used it, and somehow thought I'm safe, but I'm
> not: the permissions modes (like 4755) make it through to the real
> filesystem
19 matches
Mail list logo
