[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] cobalt_upgrade
- Subject: Re: [cobalt-users] cobalt_upgrade
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Tue Nov 6 15:43:02 2001
- Organization: Befriend Internet Services LLC
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
"Gerald Young" <me@xxxxxxxxxxx> wrote:
> Hello interesting was checking
>
> /usr/local/sbin/cobalt_upgrade
>
> as was intrigued at being able to use this instead of the gui to install a
custom package if something turns to mud.
> anyway cobalt_upgrade looks like its chmod 755 - owned by root.
> is this right - should we change it?
Good question. I skimmed the source code and didn't see any code that
checks who is running the script so it would appear the fact that it's
world-executable means anyone can run it. Seems dangerous, but I don't have
time to verify that a normal user can install a package via the script (I
already know from experience it does work for user root).
> when i run
> ./cobalt_upgrade
> as a user (not admin or root) it returned
> 4015 no upgrade package found
That's the error you get when the file passed as an argument doesn't
exist...and you didn't pass a file. To me, it appears that the script will
run for any user if it's passed a package file as an argument.
> so am guessing any user with ssh could run this to install their own
> .pkg file that could do whatever they wanted.
I suspect so. Perhaps someone with some time can verify? If that turns out
to be the case a chmod 700 seems in order.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/