[hibernate-issues] [Hibernate-JIRA] Created: (HHH-5061) tar.gz of 3.5.0-Final contains files which are marked setuid and executable
Darryl Miles (JIRA)
noreply at atlassian.com
Thu Apr 1 04:11:32 EDT 2010
tar.gz of 3.5.0-Final contains files which are marked setuid and executable
---------------------------------------------------------------------------
Key: HHH-5061
URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-5061
Project: Hibernate Core
Issue Type: Bug
Components: build
Affects Versions: 3.5.0-Final
Reporter: Darryl Miles
Priority: Minor
The tar.gz version of the distribution contains files with the, "setuid", "setgid" and "stick bit" set. These are denoted by the "s", "s" and "t" characters in the unix file permissions bits.
Further more once those bits are reset it can be seen the executable bits "x" are also set.
Further more they are world writable, where as other files in the JAR are mode 0644 (-rw-r--r--).
$ tar -ztvf hibernate-distribution-3.5.0-Final-dist.tar.gz | head -n 20
-rwsrwsrwt 0/0 26428 2007-06-29 20:24 hibernate-distribution-3.5.0-Final/lgpl.txt
-rwsrwsrwt 0/0 1456 2007-06-29 20:24 hibernate-distribution-3.5.0-Final/hibernate_logo.gif
-rwsrwsrwt 0/0 195261 2010-03-31 18:38 hibernate-distribution-3.5.0-Final/changelog.txt
-rwsrwsrwt 0/0 3893179 2010-03-31 19:52 hibernate-distribution-3.5.0-Final/hibernate3.jar
-rwsrwsrwt 0/0 37609 2010-03-31 19:16 hibernate-distribution-3.5.0-Final/hibernate-testing.jar
...SNIP...
$ chmod ug-s,o-t changelog.txt hibernate3.jar hibernate_logo.gif hibernate-testing.jar lgpl.txt
$ ls -l
total 4088
-rwxrwxrwx. 1 root root 195261 2010-03-31 18:38 changelog.txt
drwxr-xr-x. 3 root root 4096 2010-04-01 08:46 documentation
-rwxrwxrwx. 1 root root 3893179 2010-03-31 19:52 hibernate3.jar
-rwxrwxrwx. 1 root root 1456 2007-06-29 20:24 hibernate_logo.gif
-rwxrwxrwx. 1 root root 37609 2010-03-31 19:16 hibernate-testing.jar
-rwxrwxrwx. 1 root root 26428 2007-06-29 20:24 lgpl.txt
drwxr-xr-x. 6 root root 4096 2010-04-01 08:46 lib
drwxr-xr-x. 24 root root 4096 2010-03-31 19:13 project
$ find . -maxdepth 1 -type f -perm +0111 -exec chmod a-x {} \;
$ ls -l
total 4088
-rwxrw-rw-. 1 root root 195261 2010-03-31 18:38 changelog.txt
drwxr-xr-x. 3 root root 4096 2010-04-01 08:46 documentation
-rw-rwxrw-. 1 root root 3893179 2010-03-31 19:52 hibernate3.jar
-rw-rw-rwx. 1 root root 1456 2007-06-29 20:24 hibernate_logo.gif
-rwxrwxrwx. 1 root root 37609 2010-03-31 19:16 hibernate-testing.jar
-rwxrwxrwx. 1 root root 26428 2007-06-29 20:24 lgpl.txt
drwxr-xr-x. 6 root root 4096 2010-04-01 08:46 lib
drwxr-xr-x. 24 root root 4096 2010-03-31 19:13 project
$ chmod go-w changelog.txt hibernate3.jar hibernate_logo.gif hibernate-testing.jar lgpl.txt
$ ls -l
total 4088
-rw-r--r--. 1 root root 195261 2010-03-31 18:38 changelog.txt
drwxr-xr-x. 3 root root 4096 2010-04-01 08:46 documentation
-rw-r--r--. 1 root root 3893179 2010-03-31 19:52 hibernate3.jar
-rw-r--r--. 1 root root 1456 2007-06-29 20:24 hibernate_logo.gif
-rw-r--r--. 1 root root 37609 2010-03-31 19:16 hibernate-testing.jar
-rw-r--r--. 1 root root 26428 2007-06-29 20:24 lgpl.txt
drwxr-xr-x. 6 root root 4096 2010-04-01 08:46 lib
drwxr-xr-x. 24 root root 4096 2010-03-31 19:13 project
The last output above is how those file permissions should look.
Some people might consider any files marked setuid/setgid and executable and owned by "root" and world writable to be a security concern, especially if the archive was extracted as root (for shared use on a system).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the hibernate-issues
mailing list