Re: Kernelsources writeable for everyone?!

From: Matthew Frost
Date: Sun Jun 25 2006 - 01:42:48 EST


Mark Rosenstand wrote:
On Sat, 2006-06-24 at 19:17 +0100, Al Viro wrote:
On Sat, Jun 24, 2006 at 08:00:50PM +0200, Daniel wrote:
Hi,
may be this was reported/asked 999999999 times, but here ist the 1000000000th:

I have downloaded linux-2.6.17.1 10 min ago and I noticed that every file is writeable by everyone. What's going on there?

It's an abusive way of telling people to not extract the kernel sources
as root. Surely if they don't follow the recommended workflow, their box
deserve to be rooted.


No, the inevitable flame war here is the abusive way of telling people not to extract the kernel sources as root. This argument boils down to a fundamental disjunct: trust people to handle security of their own box their own way, with full knowledge of how their tools work, or assume that they aren't intelligent enough to use tools sanely and securely, and handicap so they don't have to. The latter, much as it is not seen this way, is the abusive philosophy. The former trusts the user.

Yes, there's a learning curve. There is always a learning curve. Never expect there not to be a learning curve.

The kernel archive is foremost an archive of a working directory. The recommended workflow is sane, and is designed around the limitations of tools sensibly designed for a wide range of purposes, not foremost of which is kernel compilation.

Please learn to take advice. It tends to be intended for your benefit, and is generally more useful when not viewed as a personal affront.

You are unpacking tarballs as root and preserve ownership and permissions.
Don't.

Preserving ownership and permissions is the default behaviour for GNU
tar when running as root. Other implementations require the -p option.

Matt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/