Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

install-gecko.sh abuses sudo to elevate permissions and perform root operations #239

Open
GoogleCodeExporter opened this issue Jul 13, 2015 · 0 comments
Open

install-gecko.sh abuses sudo to elevate permissions and perform root operations #239

GoogleCodeExporter opened this issue Jul 13, 2015 · 0 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

What steps will reproduce the problem?
1. wget http://winezeug.googlecode.com/svn/trunk/install-gecko.sh
2. sh ./install-gecko.sh

(or, if you're paranoid like me:
2. sh -x ./install-gecko.sh
...which is how I spotted this:)

What is the expected output? What do you see instead?
+ set -ex
+ install_gecko wine-1.3.3
+ case $1 in
+ GECKO_VERSION=1.1.0
+ GECKO_SHA1SUM=1b6c637207b6f032ae8a52841db9659433482714
+ GECKO_SUFFIX=.cab
+ test '!' -f /usr/share/wine/gecko/wine_gecko-1.1.0-x86.cab
+ rm -f wine_gecko-1.1.0-x86.cab
+ wget http://downloads.sourceforge.net/wine/wine_gecko-1.1.0-x86.cab
[...stuff...]
++ sha1sum
++ sed 's/(stdin)= //;s/ .*//'
+ gotsum=1b6c637207b6f032ae8a52841db9659433482714
+ '[' 1b6c637207b6f032ae8a52841db9659433482714x '!=' 
1b6c637207b6f032ae8a52841db9659433482714x ']'
+ sudo mkdir -p /usr/share/wine/gecko
+ sudo cp wine_gecko-1.1.0-x86.cab /usr/share/wine/gecko/

What version of the product are you using? On what operating system?

install-gecko.sh d/l'd from svn (timestamp: 2011-03-15 13:07:38 -0400)
Fedora 14 x86_64 with wine-core-1.3.19-1.fc14.i686 installed via yum.

Please provide any additional information below.

Not cool, gang.

It'd be better practice for install-gecko.sh to check for permissions, and bail 
unless it's run as root. Then the USER can choose to run a 'sudo sh 
./install-gecko.sh' if they're so inclined. (Hopefully, first taking the chance 
to give it a second look, so they can see if there's anything suspicious.)

Or, preferably, stay out of /usr/shar/wine/ entirely, if there's any way at all 
to achieve the same thing using a path somewhere under the user's $HOME. 
Personally, I avoid any files being placed into the OS paths except via RPM (or 
obvious exceptions like /var/run/). The lack of a wine-gecko rpm is another 
discussion entirely, but IMHO install-gecko.sh should be extremely reticent 
about "overriding" the system's install management and taking liberties with 
/usr/share/.

Original issue reported on code.google.com by [email protected] on 18 May 2011 at 10:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter