Andreas J. Koenig wrote:
> > Most systems already do this by default, because it's good security
> > practice. If you don't have a umask set, that's a basic
> > vulnerability *at the user's end*. No amount of hand-holding from
> > CPAN will protect the user without a umask. Some other system will
> > ship a world writable file or a setuid executable or something.
> > Then you're hosed all over again.
>
> You are not well informed.
>
> # umask
> 002
> # tar xzf
> /home/ftp/pub/PAUSE/authors/id/Y/YV/YVES/ExtUtils-Install-1.51.tar.gz
> # ls -la ExtUtils-Install-1.51
> total 1104
> drwxrwxrwx 4 544 513 4096 Nov 12 20:02 ./
> drwxrwxrwt 10110 root root 1073152 Nov 13 08:24 ../
> -rwxrwxrwx 1 544 513 1765 Mar 3 2008 Build.PL*
> -rwxrwxrwx 1 544 513 8911 Nov 12 19:58 Changes*
> -rwxrwxrwx 1 544 513 197 Sep 10 2007 INSTALL.SKIP*
> -rwxrwxrwx 1 544 513 446 Nov 5 21:51 MANIFEST*
> -rwxrwxrwx 1 544 513 458 Sep 10 2007 MANIFEST.SKIP*
> -rwxrwxrwx 1 544 513 743 Nov 12 20:02 META.yml*
> -rwxrwxrwx 1 544 513 2506 Mar 3 2008 Makefile.PL*
> -rwxrwxrwx 1 544 513 1282 Sep 10 2007 README*
> drwxrwxrwx 3 544 513 4096 Nov 12 20:01 lib/
> drwxrwxrwx 3 544 513 4096 Nov 12 20:01 t/
Your tar is not honoring umask. I consider that the security problem, not the
archive. Fixing the archive only hides the real problem, because that user is
going to download another archive from somewhere else and it's not going to be
protected.
What tar is that, btw? I've tried out both BSD and GNU tar.
> > We are trying to fix a basic, wide-spread, user-end security hole, one
> that is
> > not at all specific to Perl, at too high a level and too specific a system.
>
> It's not wide spread, it's only coming frrom a handful of Windows
> users and we have to react some way or another. Doing nothing is not
> an option.
I was referring to the lack of umask protection on the system extracting the
archive. If you don't have that, you're hosed a dozen ways far more serious
than any of this.
I guess this is where we fundamentally disagree. I see fixing the archive as
not having a real impact on the user's security, because the hole is still
there, and thus not worth risking CPAN's common carrier status.
> > It's like plugging one hole in a screen door.
>
> Pfff, there's no arguing about the minitude of the achievement per se.
> I'm much more annoyed by your intervention than I'm already annoyed by
> the mere fact that we have to fritter away our time with such a
> stupidity.
I'm sorry to kick up a fuss, but I believe it's really important that CPAN
remain a common carrier. See my earlier post to Yves about that.
Granted I think I lost a bit of perspective and forgot that it's only the
indexer that's rejecting the file, it's still on CPAN. The idea of PAUSE
modifying the file is what got me wound up.
--
Just call me 'Moron Sugar'.
http://www.somethingpositive.net/sp05182002.shtml
