>>>>> On Wed, 12 Nov 2008 20:44:45 -0800, Michael G Schwern <[EMAIL PROTECTED]> >>>>> said:
> Andreas J. Koenig wrote: >>>>>>> On Wed, 12 Nov 2008 19:13:40 -0800, Michael G Schwern <[EMAIL >>>>>>> PROTECTED]> said: >> >> > Now that the CPAN shells and archiving modules are handling it at their >> > end, I >> > think the PAUSE filter should be removed. It's not PAUSE's job to be the >> > code >> > police. >> >> It is 'tar xzf CPANFILE.tar.gz' which is exploitable. No CPAN shell >> and archiving module involved. > What I was expressing is that the CPAN shell can do I know very well what the cpan shell can do, but it cannot replace tar. > the twiddling to strip > flags at the point of extraction, rather than PAUSE stopping it at the gate. > Archive::Tar already does this (see $Archive::Tar::INSECURE_EXTRACT_MODE). > The important distinction being that it's done under the user's control and > not by PAUSE fiat. I don't care what the users do under their control. I care that they do not get hosed by the perl community. > PAUSE shouldn't be playing security nanny or any other nanny. PAUSE is innocent and shall remain so. But when the perl community does not enough to protect the innocent user from stupid packaging some sort of action is required. We can find alternative ways of dealing with it but we are responsible for avoiding harm to the innocent. > It's not even necessary or effective. Because there's already a perfectly > sensible and universal way to avoid this problem and that's to set your umask > to something sensible. Then no matter what the archive's internal > permissions > are set to they'll be stripped when it's extracted. Hear, hear. I tell you again, I don't care what the users do under their control. I care that they do not get hosed by the perl community. > Most systems already do this by default, because it's good security > practice. If you don't have a umask set, that's a basic > vulnerability *at the user's end*. No amount of hand-holding from > CPAN will protect the user without a umask. Some other system will > ship a world writable file or a setuid executable or something. > Then you're hosed all over again. You are not well informed. # umask 002 # tar xzf /home/ftp/pub/PAUSE/authors/id/Y/YV/YVES/ExtUtils-Install-1.51.tar.gz # ls -la ExtUtils-Install-1.51 total 1104 drwxrwxrwx 4 544 513 4096 Nov 12 20:02 ./ drwxrwxrwt 10110 root root 1073152 Nov 13 08:24 ../ -rwxrwxrwx 1 544 513 1765 Mar 3 2008 Build.PL* -rwxrwxrwx 1 544 513 8911 Nov 12 19:58 Changes* -rwxrwxrwx 1 544 513 197 Sep 10 2007 INSTALL.SKIP* -rwxrwxrwx 1 544 513 446 Nov 5 21:51 MANIFEST* -rwxrwxrwx 1 544 513 458 Sep 10 2007 MANIFEST.SKIP* -rwxrwxrwx 1 544 513 743 Nov 12 20:02 META.yml* -rwxrwxrwx 1 544 513 2506 Mar 3 2008 Makefile.PL* -rwxrwxrwx 1 544 513 1282 Sep 10 2007 README* drwxrwxrwx 3 544 513 4096 Nov 12 20:01 lib/ drwxrwxrwx 3 544 513 4096 Nov 12 20:01 t/ > We are trying to fix a basic, wide-spread, user-end security hole, one that > is > not at all specific to Perl, at too high a level and too specific a system. It's not wide spread, it's only coming frrom a handful of Windows users and we have to react some way or another. Doing nothing is not an option. > It's like plugging one hole in a screen door. Pfff, there's no arguing about the minitude of the achievement per se. I'm much more annoyed by your intervention than I'm already annoyed by the mere fact that we have to fritter away our time with such a stupidity. -- andreas
