Re: Automake security problem

Jim Meyering Wed, 1 Mar 2000 00:56:01 -0800
Bob Friesenhahn <[EMAIL PROTECTED]> writes:
| I am using CVS automake.  After doing a 'make dist', I find that all
| the files in my source directories are marked world read/write.  This
| makes it easier for others to add trojan horses to the code I write.

Ick.  Thanks for providing the impetus finally to fix this.
The problem is not that make dist rules munge permissions of files
in $(distdir), but rather that the files in $(distdir) are usually
linked to the master copies in your source hierarchy.

Here's an untested patch.

        * automake.in (handle_dist_worker) [generating rules for distdir]:
        Don't use `ln' (which was just a space optimization anyway) to
        populate $(distdir).  Otherwise, the dist rules that change
        permissions would end up affecting the master sources.
        * texinfos.am (dist-info): Likewise.

BTW, Tom, what about that last patch I sent in (testing for close failure)?

Index: automake.in
===================================================================
RCS file: /cvs/automake/automake/automake.in,v
retrieving revision 1.768
diff -u -p -r1.768 automake.in
--- automake.in 2000/02/02 04:29:02     1.768
+++ automake.in 2000/03/01 08:38:53
@@ -2661,7 +2666,6 @@ sub handle_dist_worker
                      . "\t    cp -pR \$\$d/\$\$file \$(distdir); \\\n"
                      . "\t  else \\\n"
                      . "\t    test -f \$(distdir)/\$\$file \\\n"
-                     . "\t    || ln \$\$d/\$\$file \$(distdir)/\$\$file 2> /dev/null 
\\\n"
                      . "\t    || cp -p \$\$d/\$\$file \$(distdir)/\$\$file || :; \\\n"
                      . "\t  fi; \\\n"
                      . "\tdone\n");
Index: texinfos.am
===================================================================
RCS file: /cvs/automake/automake/texinfos.am,v
retrieving revision 1.67
diff -u -p -r1.67 texinfos.am
--- texinfos.am 1999/11/21 21:35:40     1.67
+++ texinfos.am 2000/03/01 08:38:53
@@ -1,5 +1,5 @@
 ## automake - create Makefile.in from Makefile.am
-## Copyright (C) 1994-98, 1999 Free Software Foundation, Inc.
+## Copyright (C) 1994-98, 1999, 2000 Free Software Foundation, Inc.
 
 ## This program is free software; you can redistribute it and/or modify
 ## it under the terms of the GNU General Public License as published by
@@ -203,7 +203,6 @@ NOTCYGNUS     d=$(srcdir); \
 CYGNUS   if test -f $$base; then d=.; else d=$(srcdir); fi; \
          for file in `CDPATH=: && cd $$d && eval echo $$base*`; do \
            test -f $(distdir)/$$file \
-           || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
            || cp -p $$d/$$file $(distdir)/$$file; \
          done; \
        done
Re: Automake security problem

Reply via email to
