This is the mail archive of the
automake@gnu.org
mailing list for the automake project.
Re: SECURITY ALERT
- To: tromey@cygnus.com
- Subject: Re: SECURITY ALERT
- From: Alexandre Oliva <oliva@dcc.unicamp.br>
- Date: 14 May 1999 02:45:43 -0300
- Cc: gary@oranda.demon.co.uk (Gary V. Vaughan), Andreas Schwab <schwab@issan.cs.uni-dortmund.de>, bug-libtool@gnu.org, automake@gnu.org
- References: <vyz90b3zzsp.fsf@issan.cs.uni-dortmund.de> <u6766abzu.fsf@oranda.demon.co.uk> <orpv46sdjh.fsf@lua.lbi.dcc.unicamp.br> <87u2tgz70k.fsf@cygnus.com>
On May 14, 1999, Tom Tromey <tromey@cygnus.com> wrote:
> Make sure that the directory into which the distribution unpacks (as
> well as any subdirectories) are all world-writable (octal mode 777).
> I wonder if this requirement makes sense any more.
> We ought to talk to RMS about it. And if he's recalcitrant we can
> always add a new variable if people think it is worthwhile.
Or we could create directories as 755 (or as whatever the user's umask
says), and only chmod them to 777 before creating the tar-file, with
`find -type d -exec chmod 777 {} \;'
Since it's likely to be `rm -rf'ed just after the tar-file is created,
the unsafe window is much smaller (although still existant), but
libtool's use of `make distdir' for installing libltdl would be
automatically solved.
Anyway, I've just hacked a solution that will work regardless of this
fix: I've created a do-nothing script called chmod in a sub-directory
of the libtool distribution, that will be prepended to the PATH before
installing libltdl's sources.
I've also created a `ln' that will just `exit 1', so as to avoid
creating hard-links of source files in the install tree.
Can anyone see a problem in this approach?
--
Alexandre Oliva http://www.dcc.unicamp.br/~oliva IC-Unicamp, Bra[sz]il
{oliva,Alexandre.Oliva}@dcc.unicamp.br aoliva@{acm.org,computer.org}
oliva@{gnu.org,kaffe.org,{egcs,sourceware}.cygnus.com,samba.org}
*** E-mail about software projects will be forwarded to mailing lists