develooper Front page | perl.qa | Postings from September 2008

[RFC] Dealing with World-writable Files in the Archive of CPANDistributions

Thread Next
From:
Shlomi Fish
Date:
September 22, 2008 05:40
Subject:
[RFC] Dealing with World-writable Files in the Archive of CPANDistributions
Message ID:
200809221540.17769.shlomif@iglu.org.il
Hi all.

Today, after I invoked my CPAN smoker for a while, I received another msec 
(Mandriva Security) report with many world-writable files in the CPAN 
distributions that were left unpacked under /home/cpan/.cpanplus . Among the 
gems there are:

{{{{
/home/cpan/.cpanplus/5.10.0/build/Data-Dump-Streamer-2.08-40/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Digest-JHash-0.05/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Getopt-ArgvFile-1.11/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/HTML-Scrubber-0.08/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Kephra-0.3.10.11/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Readonly-1.03/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/OOTools-2.21/Makefile.PL
}}}}

As I noted here - http://rt.cpan.org/Ticket/Display.html?id=39481 :

{{{{{{{{{{{{
> * Why exactly are you reporting this?
>

Because msec reports it after I'm smoking CPAN.

> * What is the problem with world writeable files in a distro?

Let's suppose Makefile.PL is world-writable. While the distro is being
unpacked, a malicious user writes something like:

{{{
system('rm -fr $HOME');
}}}

to it, and after you come to the "perl Makefile.PL" stage - you lose
your home-directory. ;-)

In any case, Mandriva's msec warns about them, which bothers me.

>
> * What is your proposed remedy?

Make sure none of the files in the archive are world-writable.
}}}}}}}}}}}}}}}

My suggestion for resolving this is to modify the smoking modules so, after 
the archive is unpacked (with a proper umask and arguments to tar), they will 
traverse the directory tree and look for any world-writable files. If any are 
found, they will report the smoking of the module as "FAIL", and delete the 
unpacked directory tree, without doing the "perl Makefile.PL/Build.PL ..." 
dance.

We could give an option for doing this, if it bothers you. But I'm tired of 
finding these files in the msec report and reporting them manually.

Now I volunteer to implement this.

Regards,

	Shlomi Fish

-----------------------------------------------------------------
Shlomi Fish       http://www.shlomifish.org/
What Makes Software Apps High Quality -  http://xrl.us/bkeuk

Shlomi, so what are you working on? Working on a new wiki about unit testing 
fortunes in freecell? -- Ran Eilam

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About