[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde
Subject:    Re[2]: kscd, CDDB, and krabber security
From:       Jens Grivolla <jg42 () gmx ! net>
Date:       1999-07-30 1:09:41
[Download RAW message or body]

Hi,

Thursday, July 29, 1999, 9:53:20 AM, Adolf Koenig wrote:

> Cris Wade wrote:
>>         ...  ok, here
>> is the problem.  when I went to /opt/kde/share/apps/kscd/cddb all the
>> directories were set with 777 (drwxrwxrws)permision, and all the files in
>> those directories were given 666 (-rw-rw-rw)permision.  To me, this sounds
>> unsafe.

> It is unsafe indeed, if you are not the only user on your box.

Can't check right now, but it sounds like those directories just
contain the CD-database.  It does not contain any executables or
anything relevant.  The only risk (if I'm correct) is that somebody
else could change the track titles of your favourite CD.  ;-)

>> My solution was to set the sticky bit (+t) on all of the
>> directories in /opt/kde/share/apps/kscd/cddb (rock, jazz, etc), this way,
>> all a user could do is to delete there own CDDB records, but noone elses.  
>> 
>> now my question is this.  Will this cause any problems for any other
>> programs that you know of.  

> Probably not. The only consequence is, as you've seen already, that
> a user (except root) can only delete his own files. No reasonable software
> will depend on deleting other user's files. 
> You could as well remove most of the write-pemissions for world, except
> perhaps logfiles etc.

Well, as I said, I suppose the software does not 'depend' on deleting
other users' files, but the concept is that all users share a common
CD-database (which is mainly a cache for the cddb on the internet).
If every CD has its own file you should not need to delete anything
(not anybody elses nor your own) so there should be no problem.  If an
app crashes because it cannot delete an entry from the database I'd
say don't use it.

>> Secondly, is this a problem with all KDE
>> installs, or is it just a slackware specific problem.

> Probably it's a problem caused by installing a tar-packed library. The tar-file
> contains the permissions of the files and directories as they were at the moment of
> generating the tar-file and if you install it, you get them all. As I said, as long as 
> you are the only user, it doesn't really matter. If you want to check the permissions
> before installing a tar-archive, you could take a look on the output of
>             tar    -tvf    tarfilename
            
As I said I can't check, but it seem quite logical to me to give
rw-permission to everyone if you use a shared database for all users.
Obviously you could create a group (say cddb) and change permissions
to 770 and 660, but I don't think that's generally a security concern.


Best regards,
 Jens                            mailto:jg42@gmx.net


-- 
Send posts to:  kde@lists.netcentral.net
 Send all commands to:  kde-request@lists.netcentral.net
  Put your command in the SUBJECT of the message:
   "subscribe", "unsubscribe", "set digest on", or "set digest off"
PLEASE READ THE ARCHIVED MESSAGES AT http://lists.kde.org/ BEFORE POSTING
**********************************************************************
This list is from your pals at NetCentral <http://www.netcentral.net/>

[prev in list] [next in list] [prev in thread] [next in thread]