[mythtv-users] mytharchive security concern note
Bill
Bill at explosivo.com
Thu Jan 18 03:02:12 UTC 2007
On Wed, 17 Jan 2007 22:16:24 +0000
Paul Harrison <mythtv at dsl.pipex.com> spake:
> Bill wrote:
> > On http://www.mythtv.org/wiki/index.php/Mytharchive
> > ---------------------------------------------------
> > As of MythTV 0.20, use mytharchive at your own risk. Serious security holes will be introduced to the system after running mytharchive. ALL file system objects (from /, downward) will be set to world readable and writeable that can be written by the user running mytharchive. You have been warned.
> > ---------------------------------------------------
> >
> > Does this mean it will chmod all the directories it would write to, or all directories to readable and writeable that can be written by?
> >
> > Does anyone know which parts of the f/s specifically?
> >
> >
> That bug was fixed in revision 11192 on September 14th last year. There
> is no problem with any revisions later than that in fact later revisions
> don't try to change the file permissions it was only really a hack
> needed for the web interface which no one cared enough about to finish.
> It only affected the "native" archive format and only then if the
> archive was saved to a directory and not burned to a DVD. The script
> was supposed to chmod the created archive directory and its contents
> which it did nicely .... unfortunately a bug crept in where the wrong
> directory was passed to the script causing all directories that the user
> running mythfrontend had access to from / downward to be affected.
> Creating DVD's was never affected.
Okay. The mythtv.org site claims this for versions .20 and up.
Good to see it was taken care of.
Thanks!
More information about the mythtv-users
mailing list