OT: chown and permissions
Fairlight
fairlite at fairlite.com
Sat Apr 15 15:03:17 PDT 2006
Only Jay Ashworth would say something like:
> On Wed, Apr 12, 2006 at 08:28:01PM -0400, Fairlight wrote:
> > Oh, now here's a gem. I got thinking about tar, right? WORSE: rsync! I
> > just rsync'd a file that's 4755 fairlite on my linux box to a totally
> > different account on Solaris. It maintained the suid bit. I can't believe
> > that. Very tempted to submit that as a vulnerability. That's just wrong
> > on so many levels. There's -no- mechanism for matching users there.
>
> IMHO, rsync should not be able to set the S*ID bits on any file it touches
> unless the file is of the same ownership as the user running the
> program, or that user is root -- and while I see that this can cause
> problems when the two machines are not {under the same administrative
> span of control,using the same UID map}, that's an installer
> administrative issue; the code should provide a mechanism to be even
> more secure -- and perhaps even default to it -- but should also allow
> the more relaxed behavior.
Agreed. I'd opt for default secure, optional relaxed. Think it's worth a
letter to the maintainer(s)? You wanna do it, or should I?
mark->
More information about the Filepro-list
mailing list