[mythtv-users] mytharchive security concern note
Paul Harrison
mythtv at dsl.pipex.com
Wed Jan 17 22:16:24 UTC 2007
Bill wrote:
> On http://www.mythtv.org/wiki/index.php/Mytharchive
> ---------------------------------------------------
> As of MythTV 0.20, use mytharchive at your own risk. Serious security holes will be introduced to the system after running mytharchive. ALL file system objects (from /, downward) will be set to world readable and writeable that can be written by the user running mytharchive. You have been warned.
> ---------------------------------------------------
>
> Does this mean it will chmod all the directories it would write to, or all directories to readable and writeable that can be written by?
>
> Does anyone know which parts of the f/s specifically?
>
>
That bug was fixed in revision 11192 on September 14th last year. There
is no problem with any revisions later than that in fact later revisions
don't try to change the file permissions it was only really a hack
needed for the web interface which no one cared enough about to finish.
It only affected the "native" archive format and only then if the
archive was saved to a directory and not burned to a DVD. The script
was supposed to chmod the created archive directory and its contents
which it did nicely .... unfortunately a bug crept in where the wrong
directory was passed to the script causing all directories that the user
running mythfrontend had access to from / downward to be affected.
Creating DVD's was never affected.
Paul H.
More information about the mythtv-users
mailing list