View Issue Details

IDProjectCategoryView StatusLast Update
0008120mantisbtinstallationpublic2007-10-04 01:40
Reporterkho Assigned Tovboctor  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformLinuxOSCentOS 
Product Version1.0.8 
Target Version1.0.9Fixed in Version1.1.0a4 
Summary0008120: all the files and directories has permission 777 in mantis-1.0.8.tar.gz
Description

I have downloaded mantis-1.0.8.tar.gz and after expanding it, all the files and directories have permission 777. I think this started on mantis-1.0.7.tar.gz and could be a security risk.

The way I expanded the archive is "zcat mantis-1.0.8.tar.gz | tar xf -"

TagsNo tags attached.

Activities

grangeway

grangeway

2007-07-05 14:26

reporter   ~0014870

Victor, could you look into this?

Paul

giallu

giallu

2007-07-09 03:06

reporter   ~0014905

I verified that 1.0.6 had proper permissions on (almost) all files.

Fedora users are not affected as the permissions are fixed during package build, but that's something we should fix for 1.0.9.
You are probably aware but, just in case: saner permissions are 644(rw-r--r--) for files and 755(rwxr-xr-x) for directories.

vboctor

vboctor

2007-07-09 10:09

manager   ~0014913

I do the packaging in Windows, what do I have to do to make sure that when the archive is expanded it comes out as 644 and 755. I used 7zip to create the last two archives, can it be the cause? Before that I used to use Total Commander (I think).

giallu

giallu

2007-07-10 05:38

reporter   ~0014918

I don't know how to use the Windows tools to do the job.

What you can do to check the results, is to install MSYS from:

http://sourceforge.net/project/showfiles.php?group_id=2435&package_id=82721&release_id=158803

and using a command like:

tar tvzf mantisbt-1.0.8.tar.gz

once installed MSYS, you could also choose to create packages there with something like:

tar cvzf mantisbt-1.0.8.tar.gz mantisbt-1.0.8

Martin Fuchs

Martin Fuchs

2007-08-01 02:06

reporter   ~0015310

You should avoid creating TAR archives on Windows, since this doesn't support Unix file permissions. However there may be the possibility to use the command line option "--mode" of GTAR, which you could also use on Windows. But it would be better to create the archives on a native Unix environment. If I shall help you with this - I have access to a Linux account.

DGtlRift

DGtlRift

2007-08-07 16:58

reporter   ~0015366

Would tar within cygwin help? I tried it out and it seems to keep the mode set to a sane setting.

giallu

giallu

2007-08-08 02:33

reporter   ~0015368

to DGtlRift:

Yes, I believe that is a viable alternative in Windows, mush like the MSYS solution

vboctor

vboctor

2007-08-08 23:13

manager   ~0015376

Did you guys get a chance to try the permissions on 1.1.0a4? I've used Total Commander, which I used to use for older release. The reason I stopped using it was that it was generating tar files that some extractors were complaining about.

Martin Fuchs

Martin Fuchs

2007-08-09 02:56

reporter   ~0015378

Yes, the new archive attributes look reasonable - there are no execute bits set, so you might also use your Total Commander version again.

Issue History

Date Modified Username Field Change
2007-07-03 00:29 kho New Issue
2007-07-05 14:26 grangeway Status new => assigned
2007-07-05 14:26 grangeway Assigned To => vboctor
2007-07-05 14:26 grangeway Note Added: 0014870
2007-07-09 03:06 giallu Note Added: 0014905
2007-07-09 03:07 giallu Target Version => 1.0.9
2007-07-09 10:09 vboctor Note Added: 0014913
2007-07-10 05:38 giallu Note Added: 0014918
2007-08-01 02:06 Martin Fuchs Note Added: 0015310
2007-08-07 16:58 DGtlRift Note Added: 0015366
2007-08-08 02:33 giallu Note Added: 0015368
2007-08-08 23:13 vboctor Note Added: 0015376
2007-08-09 02:56 Martin Fuchs Note Added: 0015378
2007-08-09 03:01 vboctor Status assigned => resolved
2007-08-09 03:01 vboctor Fixed in Version => 1.1.0a4
2007-08-09 03:01 vboctor Resolution open => fixed
2007-10-04 01:40 vboctor Status resolved => closed