develooper Front page | | Postings from September 2008

[RFC] Dealing with World-writable Files in the Archive of CPANDistributions

Thread Next
Shlomi Fish
September 22, 2008 05:40
[RFC] Dealing with World-writable Files in the Archive of CPANDistributions
Message ID:
Hi all.

Today, after I invoked my CPAN smoker for a while, I received another msec 
(Mandriva Security) report with many world-writable files in the CPAN 
distributions that were left unpacked under /home/cpan/.cpanplus . Among the 
gems there are:


As I noted here - :

> * Why exactly are you reporting this?

Because msec reports it after I'm smoking CPAN.

> * What is the problem with world writeable files in a distro?

Let's suppose Makefile.PL is world-writable. While the distro is being
unpacked, a malicious user writes something like:

system('rm -fr $HOME');

to it, and after you come to the "perl Makefile.PL" stage - you lose
your home-directory. ;-)

In any case, Mandriva's msec warns about them, which bothers me.

> * What is your proposed remedy?

Make sure none of the files in the archive are world-writable.

My suggestion for resolving this is to modify the smoking modules so, after 
the archive is unpacked (with a proper umask and arguments to tar), they will 
traverse the directory tree and look for any world-writable files. If any are 
found, they will report the smoking of the module as "FAIL", and delete the 
unpacked directory tree, without doing the "perl Makefile.PL/Build.PL ..." 

We could give an option for doing this, if it bothers you. But I'm tired of 
finding these files in the msec report and reporting them manually.

Now I volunteer to implement this.


	Shlomi Fish

Shlomi Fish
What Makes Software Apps High Quality -

Shlomi, so what are you working on? Working on a new wiki about unit testing 
fortunes in freecell? -- Ran Eilam

Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About