From xemacs-m  Wed Apr  2 22:37:01 1997
Received: from tmai.com (tmai.com [192.246.219.2])
	by xemacs.org (8.8.5/8.8.5) with SMTP id WAA06747
	for <xemacs-beta@xemacs.org>; Wed, 2 Apr 1997 22:37:00 -0600 (CST)
Received: from tmai.com by tmai.com (4.1/SMI-4.1)
	id AA19959; Wed, 2 Apr 97 20:34:35 PST
Received: from nocturne.tmai.com by marmot (4.1/SMI-4.1)
	id AA10868; Wed, 2 Apr 97 20:34:32 PST
Received: by nocturne.tmai.com (SMI-8.6/SMI-SVR4)
	id UAA19898; Wed, 2 Apr 1997 20:34:29 -0800
Date: Wed, 2 Apr 1997 20:34:29 -0800
From: brian_barrick@tmai.com (Brian Barrick)
Message-Id: <199704030434.UAA19898@nocturne.tmai.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: xemacs-beta@xemacs.org
Subject: Re: A security hole during XEmacs installation
In-Reply-To: <199704012241.OAA06912@newman>
References: <kig7mipznnu.fsf@jagor.srce.hr>
	<m2raguibri.fsf@altair.xemacs.org>
	<199704012241.OAA06912@newman>
X-Mailer: VM 6.22 under 19.15 XEmacs Lucid

William M. Perry writes:
 > Steven L Baur writes:
 > >Hrvoje Niksic writes:
 > >
 > >> When a user (e.g. `hniksic') compiles XEmacs, when root does a
 > >> `make install', many files are left in hniksic's ownership.  This
 > >> includes most (all?) of the lisp/ and etc/ directories.  This means
 > >> that the mentioned user can keep changing the site-wide stuff.
 > >> Looking back, I see that the bug has been there since before 19.14.
 > >
 > >> We may wish to fix it for 20.1, though.
 > >
 > >Yup.  I hadn't realized this before.  The badness comes from copying the
 > >lisp directories with tar instead of cp (presumably to preserve time
 > >stamps?).  How does one portably say `ignore file ownership' in tar?  Gnu
 > >tar has --same-owner, Solaris has -o, SCO has -p.  Grrr.
 > 
 >   Give up.  I tried to do this for our web server install at spry ages
 > ago.  Resistance is futile.  Actually _GNU TAR_ doesn't have a way to turn
 > this behaviour _OFF_.  --same-owner is the default, and there is no switch
 > to turn it off.
 > 
 >   Best bet would be to: chown -R `whoami` lisp
 > 
 >   ??  But that doesn't deal with group crap.
 > 
 > -Bill P.
 > 

I *never* run 'make install' as root.  I do the install as the user that
should own the files (which is never root).  If some particular file(s) need
to be setuid or setgid, I do this in a separate pass.

The default for GNU tar is indeed --same-owner, but only if you are
running as root.  In fact, the exact code is:

      if (we_are_root || flag_do_chown)
	if (chown (CURRENT_FILE_NAME, hstat.st_uid, hstat.st_gid) < 0)
	  ERROR ((0, errno, _("Cannot chown file %s to uid %d gid %d"),
		  CURRENT_FILE_NAME, hstat.st_uid, hstat.st_gid));

 > How are you supposed to turn that off?

You aren't.  This is as it should be.  It certainly isn't a bug.

	- Brian

