This is the mail archive of the
automake@gnu.org
mailing list for the automake project.
Re: Automake security problem
- To: Jim Meyering <meyering at ascend dot com>
- Subject: Re: Automake security problem
- From: François Pinard <pinard at iro dot umontreal dot ca>
- Date: 03 Mar 2000 07:04:47 -0500
- Cc: Bob Friesenhahn <bfriesen at simple dot dallas dot tx dot us>, automake at gnu dot org
- References: <Pine.SO4.4.05.10002292127100.22694-100000@scooby.simplesystems.org> <ury7lfnxeo5.fsf@ixi.eng.ascend.com>
Jim Meyering <meyering@ascend.com> writes:
> Bob Friesenhahn <bfriesen@simple.dallas.tx.us> writes:
> | I am using CVS automake. After doing a 'make dist', I find that all
> | the files in my source directories are marked world read/write. This
> | makes it easier for others to add trojan horses to the code I write.
> Ick. Thanks for providing the impetus finally to fix this.
The permissions set by the distribution process have been discussed a few
times already, with this quote from (standards)Releases in context:
---------------------------------------------------------------------->
Make sure that the directory into which the distribution unpacks (as
well as any subdirectories) are all world-writable (octal mode 777).
This is so that old versions of `tar' which preserve the ownership and
permissions of the files from the tar archive will be able to extract
all the files even if the user is unprivileged.
----------------------------------------------------------------------<
I find it difficult agreeing with it, nowadays. Be very sure I'm not
pushing for this either, but maybe you guys are less free than I am :-).
--
François Pinard http://www.iro.umontreal.ca/~pinard