Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 125851 - glsa-check (from gentoolkit) should not be world executable
Summary: glsa-check (from gentoolkit) should not be world executable
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Unclassified (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Portage team
Depends on:
Reported: 2006-03-11 10:46 UTC by Björn Michaelsen
Modified: 2006-03-11 11:15 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Björn Michaelsen 2006-03-11 10:46:07 UTC
in app-portage/gentoolkit-0.2.1 glsa-check has the folowing permissions:
-rwxr-xr-x  1 root root 8,9K 25. Jan 03:43 /usr/bin/glsa-check

This is a Bad Thing because any unprivileged user can get information very fast about exploitable security holes on the system.
Proposed solution:
glsa-check should have permissions set to something like this:
-rwxr-x---  1 root portage 8,9K 25. Jan 03:43 /usr/bin/glsa-check
Comment 1 solar (RETIRED) gentoo-dev 2006-03-11 11:15:26 UTC
Removing the executable bit from glsa-check in no way prevents normal users from 
obtaining the same information. User can still copy his/her own copy of 
glsa-check to the box or simply look at the vdb. glsa-check is also intended 
to be run from non root cronjob scripts.

As the user you have the option to remove the executable bits on your own 
/var/db/pkg/* but that is not a change we will make to portage or glsa-check.

Sorry closing as WONTFIX. Have a good day.