[mythtv-users] mytharchive security concern note

Bill Bill at explosivo.com
Thu Jan 18 03:02:12 UTC 2007


On Wed, 17 Jan 2007 22:16:24 +0000
Paul Harrison <mythtv at dsl.pipex.com> spake:

> Bill wrote:
> > On http://www.mythtv.org/wiki/index.php/Mytharchive
> > ---------------------------------------------------
> > As of MythTV 0.20, use mytharchive at your own risk. Serious security holes will be introduced to the system after running mytharchive. ALL file system objects (from /, downward) will be set to world readable and writeable that can be written by the user running mytharchive. You have been warned.
> > ---------------------------------------------------
> >
> > Does this mean it will chmod all the directories it would write to, or all directories to readable and writeable that can be written by?
> >
> > Does anyone know which parts of the f/s specifically?
> >
> >   
> That bug was fixed  in revision 11192 on September 14th last year. There 
> is no problem with any revisions later than that in fact later revisions 
> don't try to change the file permissions it was only really a hack 
> needed for the web interface which no one cared enough about to finish. 
> It only affected the "native" archive format and only then if the 
> archive was saved to a directory and not burned to a DVD.  The script 
> was supposed to chmod the created archive directory and its contents 
> which it did nicely .... unfortunately a bug crept in where the wrong 
> directory was passed to the script causing all directories that the user 
> running mythfrontend had access to from / downward to be affected. 
> Creating DVD's was never affected.

Okay.  The mythtv.org site claims this for versions .20 and up.  

Good to see it was taken care of.

Thanks!


More information about the mythtv-users mailing list