[hibernate-issues] [Hibernate-JIRA] Commented: (HHH-5061) tar.gz of 3.5.0-Final contains files which are marked setuid and executable

Tue Apr 20 18:19:20 EDT 2010

    [ http://opensource.atlassian.com/projects/hibernate/browse/HHH-5061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=36525#action_36525 ] 

Gail Badner commented on HHH-5061:
----------------------------------

Please let us know if this is still an issue with 3.5.1.

> tar.gz of 3.5.0-Final contains files which are marked setuid and executable
> ---------------------------------------------------------------------------
>
>                 Key: HHH-5061
>                 URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-5061
>             Project: Hibernate Core
>          Issue Type: Bug
>          Components: build
>    Affects Versions: 3.5.0-Final
>            Reporter: Darryl Miles
>            Priority: Minor
>
> The tar.gz version of the distribution contains files with the, "setuid", "setgid" and "stick bit" set.  These are denoted by the "s", "s" and "t" characters in the unix file permissions bits.
> Further more once those bits are reset it can be seen the executable bits "x" are also set.
> Further more they are world writable, where as other files in the JAR are mode 0644 (-rw-r--r--).
> $ tar -ztvf hibernate-distribution-3.5.0-Final-dist.tar.gz  | head -n 20
> -rwsrwsrwt 0/0           26428 2007-06-29 20:24 hibernate-distribution-3.5.0-Final/lgpl.txt
> -rwsrwsrwt 0/0            1456 2007-06-29 20:24 hibernate-distribution-3.5.0-Final/hibernate_logo.gif
> -rwsrwsrwt 0/0          195261 2010-03-31 18:38 hibernate-distribution-3.5.0-Final/changelog.txt
> -rwsrwsrwt 0/0         3893179 2010-03-31 19:52 hibernate-distribution-3.5.0-Final/hibernate3.jar
> -rwsrwsrwt 0/0           37609 2010-03-31 19:16 hibernate-distribution-3.5.0-Final/hibernate-testing.jar
> ...SNIP...
> $ chmod ug-s,o-t changelog.txt hibernate3.jar hibernate_logo.gif  hibernate-testing.jar lgpl.txt
> $ ls -l
> total 4088
> -rwxrwxrwx.  1 root root  195261 2010-03-31 18:38 changelog.txt
> drwxr-xr-x.  3 root root    4096 2010-04-01 08:46 documentation
> -rwxrwxrwx.  1 root root 3893179 2010-03-31 19:52 hibernate3.jar
> -rwxrwxrwx.  1 root root    1456 2007-06-29 20:24 hibernate_logo.gif
> -rwxrwxrwx.  1 root root   37609 2010-03-31 19:16 hibernate-testing.jar
> -rwxrwxrwx.  1 root root   26428 2007-06-29 20:24 lgpl.txt
> drwxr-xr-x.  6 root root    4096 2010-04-01 08:46 lib
> drwxr-xr-x. 24 root root    4096 2010-03-31 19:13 project
> $ find . -maxdepth 1 -type f -perm +0111 -exec chmod a-x {} \;
> $ ls -l
> total 4088
> -rwxrw-rw-.  1 root root  195261 2010-03-31 18:38 changelog.txt
> drwxr-xr-x.  3 root root    4096 2010-04-01 08:46 documentation
> -rw-rwxrw-.  1 root root 3893179 2010-03-31 19:52 hibernate3.jar
> -rw-rw-rwx.  1 root root    1456 2007-06-29 20:24 hibernate_logo.gif
> -rwxrwxrwx.  1 root root   37609 2010-03-31 19:16 hibernate-testing.jar
> -rwxrwxrwx.  1 root root   26428 2007-06-29 20:24 lgpl.txt
> drwxr-xr-x.  6 root root    4096 2010-04-01 08:46 lib
> drwxr-xr-x. 24 root root    4096 2010-03-31 19:13 project
> $ chmod go-w changelog.txt hibernate3.jar hibernate_logo.gif  hibernate-testing.jar lgpl.txt
> $ ls -l
> total 4088
> -rw-r--r--.  1 root root  195261 2010-03-31 18:38 changelog.txt
> drwxr-xr-x.  3 root root    4096 2010-04-01 08:46 documentation
> -rw-r--r--.  1 root root 3893179 2010-03-31 19:52 hibernate3.jar
> -rw-r--r--.  1 root root    1456 2007-06-29 20:24 hibernate_logo.gif
> -rw-r--r--.  1 root root   37609 2010-03-31 19:16 hibernate-testing.jar
> -rw-r--r--.  1 root root   26428 2007-06-29 20:24 lgpl.txt
> drwxr-xr-x.  6 root root    4096 2010-04-01 08:46 lib
> drwxr-xr-x. 24 root root    4096 2010-03-31 19:13 project
> The last output above is how those file permissions should look.
> Some people might consider any files marked setuid/setgid and executable and owned by "root" and world writable to be a security concern, especially if the archive was extracted as root (for shared use on a system).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira