From kde Fri Jul 30 01:09:41 1999 From: Jens Grivolla Date: Fri, 30 Jul 1999 01:09:41 +0000 To: kde Subject: Re[2]: kscd, CDDB, and krabber security X-MARC-Message: https://marc.info/?l=kde&m=93341857325438 Hi, Thursday, July 29, 1999, 9:53:20 AM, Adolf Koenig wrote: > Cris Wade wrote: >> ... ok, here >> is the problem. when I went to /opt/kde/share/apps/kscd/cddb all the >> directories were set with 777 (drwxrwxrws)permision, and all the files in >> those directories were given 666 (-rw-rw-rw)permision. To me, this sounds >> unsafe. > It is unsafe indeed, if you are not the only user on your box. Can't check right now, but it sounds like those directories just contain the CD-database. It does not contain any executables or anything relevant. The only risk (if I'm correct) is that somebody else could change the track titles of your favourite CD. ;-) >> My solution was to set the sticky bit (+t) on all of the >> directories in /opt/kde/share/apps/kscd/cddb (rock, jazz, etc), this way, >> all a user could do is to delete there own CDDB records, but noone elses. >> >> now my question is this. Will this cause any problems for any other >> programs that you know of. > Probably not. The only consequence is, as you've seen already, that > a user (except root) can only delete his own files. No reasonable software > will depend on deleting other user's files. > You could as well remove most of the write-pemissions for world, except > perhaps logfiles etc. Well, as I said, I suppose the software does not 'depend' on deleting other users' files, but the concept is that all users share a common CD-database (which is mainly a cache for the cddb on the internet). If every CD has its own file you should not need to delete anything (not anybody elses nor your own) so there should be no problem. If an app crashes because it cannot delete an entry from the database I'd say don't use it. >> Secondly, is this a problem with all KDE >> installs, or is it just a slackware specific problem. > Probably it's a problem caused by installing a tar-packed library. The tar-file > contains the permissions of the files and directories as they were at the moment of > generating the tar-file and if you install it, you get them all. As I said, as long as > you are the only user, it doesn't really matter. If you want to check the permissions > before installing a tar-archive, you could take a look on the output of > tar -tvf tarfilename As I said I can't check, but it seem quite logical to me to give rw-permission to everyone if you use a shared database for all users. Obviously you could create a group (say cddb) and change permissions to 770 and 660, but I don't think that's generally a security concern. Best regards, Jens mailto:jg42@gmx.net -- Send posts to: kde@lists.netcentral.net Send all commands to: kde-request@lists.netcentral.net Put your command in the SUBJECT of the message: "subscribe", "unsubscribe", "set digest on", or "set digest off" PLEASE READ THE ARCHIVED MESSAGES AT http://lists.kde.org/ BEFORE POSTING ********************************************************************** This list is from your pals at NetCentral