Steel Bank Common Lisp

asdf-module.mk -- security issue: wrong permissions for contrib

Reported by Eugene Ossintsev on 2010-01-16
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
SBCL
Undecided
Nathan Froyd

Bug Description

SBCL 1.0.34.7
Linux badger 2.6.31-17-generic #54-Ubuntu SMP Thu Dec 10 17:01:44 UTC 2009 x86_64 GNU/Linux

I reported it already several times on sbcl-devel -- no result. I'll try to do it here. It's a long standing issue with contrib/asdf-module.mk, where the last line ('find ....') contains the option '-type f'.

Thus, when the contrib files and directories are being installed, the permissions for the directories are not set properly, only the files permissions are properly set.

*** How to reproduce:

Build and install SBCL as a non-root user. Look at the permissions of the following directories
/usr/local/lib/sbcl/asdf-install
/usr/local/lib/sbcl/sb-bsd-sockets
etc.

They are set to the user who built and installed SBCL.

*** Why '-type f' happens to be in asdf-module.mk's find:

That 'find' was used with '-type f' in the asdf-module.mk revision when the directories were not copied. As far as I remember, that particular revision had some problems on Windows machines, therefore it was modified to make things happier. In the next revision both directories and files were copied but '-type f' remained as if it's only for files.

*** How to fix: Delete '-type f' from the last line of asdf-module.mk:

Instead of

find "$(BUILD_ROOT)$(INSTALL_DIR)" -type f -exec chown `id -u`:`id -g` {} \;

It must be:

find "$(BUILD_ROOT)$(INSTALL_DIR)" -exec chown `id -u`:`id -g` {} \;

description: updated
visibility: private → public
Nathan Froyd (froydnj) wrote :

I will apply this patch to the next release.

Changed in sbcl:
assignee: nobody → Nathan Froyd (froydnj)

Thank you!

 assign csr21-cantab
 status fixcommitted
 done

Nathan Froyd <email address hidden> writes:

> I will apply this patch to the next release.
>
> ** Changed in: sbcl
> Assignee: (unassigned) => Nathan Froyd (froydnj)

Actually, I think I will apply it to this one. Patch merged in
sbcl-1.0.34.14.

Christophe

Changed in sbcl:
status: New → Fix Committed
Changed in sbcl:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers