On Thursday 13 November 2008, Michael G Schwern wrote: > Andreas J. Koenig wrote: > >>>>>> On Wed, 12 Nov 2008 19:13:40 -0800, Michael G Schwern > >>>>>> <[EMAIL PROTECTED]> said: > > > > > > Now that the CPAN shells and archiving modules are handling it at > > > their end, I think the PAUSE filter should be removed. It's not > > > PAUSE's job to be the code police. > > > > It is 'tar xzf CPANFILE.tar.gz' which is exploitable. No CPAN shell > > and archiving module involved. > > What I was expressing is that the CPAN shell can do the twiddling to strip > flags at the point of extraction, rather than PAUSE stopping it at the > gate. Archive::Tar already does this (see > $Archive::Tar::INSECURE_EXTRACT_MODE).
Archive::Tar does, but Archive::Extract (which CPANPLUS uses) doesn't. > The important distinction being that > it's done under the user's control and not by PAUSE fiat. PAUSE shouldn't > be playing security nanny or any other nanny. > > It's not even necessary or effective. Because there's already a perfectly > sensible and universal way to avoid this problem and that's to set your > umask to something sensible. Then no matter what the archive's internal > permissions are set to they'll be stripped when it's extracted. I already have a sensible umask. However, CPANPLUS ignores it and sets the permissions to be world-writable. See these bugs: * http://rt.cpan.org/Ticket/Display.html?id=39516 * http://rt.cpan.org/Ticket/Display.html?id=39554 > > Most systems already do this by default, because it's good security > practice. If you don't have a umask set, that's a basic vulnerability *at > the user's end*. No amount of hand-holding from CPAN will protect the user > without a umask. Some other system will ship a world writable file or a > setuid executable or something. Then you're hosed all over again. > > We are trying to fix a basic, wide-spread, user-end security hole, one that > is not at all specific to Perl, at too high a level and too specific a > system. > > It's like plugging one hole in a screen door. It's not necessarily a problem at the user-end, because CPANPLUS ignores the (secure) umask I set and still sets the permissions to 666 or 777. Regards, Shlomi Fish ----------------------------------------------------------------- Shlomi Fish http://www.shlomifish.org/ http://www.shlomifish.org/humour/ways_to_do_it.html Shlomi, so what are you working on? Working on a new wiki about unit testing fortunes in freecell? -- Ran Eilam
