in reply to Re^2: Executable bit sloppiness in modules in thread Executable bit sloppiness in modules
I don't get it. If someone has access to execute "thanks.txt", they'll already have access to run every command in it separately, so the file itself is buying them absolutely nothing. Unless it's somehow being installed suid (which would be a huge problem) or ending up in someone else's path.
Re^4: Executable bit sloppiness in modules
by zentara (Archbishop) on Dec 21, 2004 at 13:58 UTC
|
You are probably right,...but somehow it just bothers me and I will continue to examine modules before I install them, and adjust file permissions to be correct for the file type.
I guess I'm a bit too paranoid. :-)
I'm not really a human, but I play one on earth.
flash japh
| [reply] |
|
He is right. It's just superstition to be looking for security holes in those sloppily set permissions. An attacker is never going to go through a million artificial contortions when he is in a position to walk right in through the front door, because what would that buy him? And since you're going to be executing Makefile.PL anyway, you are offering an open front door.
It's another matter if the mode is 777 of course — since someone else could exploit that. 755 instead of 644 is harmless but annoying for other reasons.
Makeshifts last the longest.
| [reply] |
|