[mythtv-users] mytharchive security concern note

Paul Harrison mythtv at dsl.pipex.com
Wed Jan 17 22:16:24 UTC 2007


Bill wrote:
> On http://www.mythtv.org/wiki/index.php/Mytharchive
> ---------------------------------------------------
> As of MythTV 0.20, use mytharchive at your own risk. Serious security holes will be introduced to the system after running mytharchive. ALL file system objects (from /, downward) will be set to world readable and writeable that can be written by the user running mytharchive. You have been warned.
> ---------------------------------------------------
>
> Does this mean it will chmod all the directories it would write to, or all directories to readable and writeable that can be written by?
>
> Does anyone know which parts of the f/s specifically?
>
>   
That bug was fixed  in revision 11192 on September 14th last year. There 
is no problem with any revisions later than that in fact later revisions 
don't try to change the file permissions it was only really a hack 
needed for the web interface which no one cared enough about to finish. 
It only affected the "native" archive format and only then if the 
archive was saved to a directory and not burned to a DVD.  The script 
was supposed to chmod the created archive directory and its contents 
which it did nicely .... unfortunately a bug crept in where the wrong 
directory was passed to the script causing all directories that the user 
running mythfrontend had access to from / downward to be affected. 
Creating DVD's was never affected.

Paul H.




More information about the mythtv-users mailing list