[As usual when I write here, the header From: is a black hole. Use the address in the signature to actually reach me.] >> this only works if the user un-zipping the file is already root. >> otherwise it creates an "sh" binary which is setuid to the user who >> unzipped the file. > If your homedir is worldreadable, which is pretty common practice the > other user can run the shell and get your useraccount. This is confusing readable with executable. If a directory is readable, anyone can find out the names of the things in it. If it's executable, anyone who knows a thing's name there can get to the thing. Read and execute access usually go together on directories, but they don't have to. (A +r-x directory is of doubtful use. But -r+x is comparatively useful.) /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse@xxxxxxxxxxxxxxxxxxxxxx / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
