Am 11.08.2015 um 23:35 schrieb Josh Stone:
if you are running whatever application and *you have write permissions* from the moment a remote exploit is sucessful your home *is world writable* - periodI think you're mixing terminology. "World-writable" is often used referring to the S_IWOTH flag, where "others" (vs. user/group) have write permission. I believe that's what your linked tldp article is talking about. You seem to be talking about literally anyone in the world using a remote exploit, gaining the permissions of a user account, and then they can write home. It's still only writable by that user id, barring new chmods, but the user account itself is compromised.
that's a needless discussion and just nitpickingno binary you regulayr run should be writeable by anybod but root, there is no but of if - period - if somebody thinks there is an exception he has no clue of security
"but the user account itself is compromised" is the pointthe more applications are writable in your userhome that easier it get compromised and after that you lose any control wich other files are compromised
that affects any applicatoon BUT ESPECIALLY applications dealing with random data from the internet and so at first a BROWSER which deals with that by defintion
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
