This is the mail archive of the
automake@gnu.org
mailing list for the automake project.
Re: SECURITY ALERT
[ On Thursday, May 13, 1999 at 08:17:37 (-0400), Rich Paul wrote: ]
> Subject: Re: SECURITY ALERT
>
> On 12 May 1999, Alexandre Oliva wrote:
> >
> > What I don't get is why `make distdir' creates the distdir as a
> > world-writable directory. Tom, wouldn't it be better to chmod it to
> > 755 instead of 777? This would avoid the security hole in the libtool
> > installation (that uses make distdir to install the libltdl source
> > tree) and would avoid security holes for unwarned developers (like me)
> > that keep `make distcheck' running for a long time on slow hosts :-(
>
> Really, 700 wouldn't be so bad.
It could just just (777 & ~umask), though if you don't trust the
developer to make his umask safe then 755 is a vastly better default
than 700 for directories created in a distribution. It annoys me to no
end when things don't unpack with at least world-readability.
Paranoid developers can also do something like "chmod 700 .." too, but
that's not a real fix.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>