On 08/11/2015 02:04 PM, Reindl Harald wrote: > > > Am 11.08.2015 um 23:00 schrieb Mustafa Muhammad: >> >> On Aug 11, 2015 11:29 PM, "Reindl Harald" <h.reindl@xxxxxxxxxxxxx >> <mailto:h.reindl@xxxxxxxxxxxxx>> wrote: >> > >> > Am 11.08.2015 um 22:18 schrieb Mustafa Muhammad: >> >> >> >> > If I knew Mozilla's Linux binaries provided its own update mechanism >> >> > and notification, yes I would do exactly that. >> >> >> >> I am pretty sure they get updated just like Windows and OS X binaries, >> >> but the tar ball should be extracted in a user writable location >> > >> > >> > nonsense >> > >> > *if* you use binary tarballs they *should not* be extracted in a user >> writeable location as *no binary* whenever possible should have >> permissions allowing a ordinary user to change them >> > >> > they should be extracted to /usr/local/ with root-only >> write-permissions and you have to just start the application as root for >> updates - not only on Linux, on *any* operating system >> > >> > and since most users are not able to cope with this security >> principals package managers exists >> > _________________________________________ >> > >> > http://www.tldp.org/HOWTO/Security-HOWTO/file-security.html >> > >> > World-writable files, particularly system files, can be a security >> hole if a cracker gains access to your system and modifies them. >> Additionally, world-writable directories are dangerous, since they allow >> a cracker to add or delete files as he wishes >> >> My home is not world writable > > you still don't get it > > if you are running whatever application and *you have write permissions* > from the moment a remote exploit is sucessful your home *is world > writable* - period I think you're mixing terminology. "World-writable" is often used referring to the S_IWOTH flag, where "others" (vs. user/group) have write permission. I believe that's what your linked tldp article is talking about. You seem to be talking about literally anyone in the world using a remote exploit, gaining the permissions of a user account, and then they can write home. It's still only writable by that user id, barring new chmods, but the user account itself is compromised. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
