develooper Front page | perl.perl5.porters | Postings from January 2005

Re: Bug#286905: perl-modules: File::Path::rmtree makes setuid

Thread Previous | Thread Next
Rafael Garcia-Suarez
January 12, 2005 05:15
Re: Bug#286905: perl-modules: File::Path::rmtree makes setuid
Message ID:
How does this relate to the Debian patch 22_fix_file_path
for CAN-2004-0452 ? which I'm pasting below.

That said, an implementation of rmtree() that uses /bin/rm
isn't suitable for inclusion in perl itself.
[Adapted from Chip Turner's 5.8.0 patch]
Fix for CAN-2004-0452.  Change chmod's to make files writable/executable
by the current user only and not by the entire world.  chmod's necessary
in the first place but at least this makes them less dangerous.  If, for
some reason the rm process dies halfway through, at worst some files and
dirs were revoked from others, not made available.

--- lib/File/    2001-03-21 04:40:22.000000000 +1100
+++ lib/File/    2004-12-22 23:46:54.000000000 +1100
@@ -174,7 +174,7 @@
            # it's also intended to change it to writable in case we have
            # to recurse in which case we are better than rm -rf for
            # subtrees with strange permissions
-           chmod(0777, ($Is_VMS ? VMS::Filespec::fileify($root) : $root))
+           chmod(0700, ($Is_VMS ? VMS::Filespec::fileify($root) : $root))
              or carp "Can't make directory $root read+writeable: $!"
                unless $safe;
@@ -202,7 +202,7 @@
                print "skipped $root\n" if $verbose;
-           chmod 0777, $root
+           chmod 0700, $root
              or carp "Can't make directory $root writeable: $!"
                if $force_writeable;
            print "rmdir $root\n" if $verbose;
@@ -224,7 +224,7 @@
                print "skipped $root\n" if $verbose;
-           chmod 0666, $root
+           chmod 0600, $root
              or carp "Can't make file $root writeable: $!"
                if $force_writeable;
            print "unlink $root\n" if $verbose;

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About