RuiKuang / droidwall

Automatically exported from code.google.com/p/droidwall
0 stars 0 forks source link

Shell script world writable #281

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Version: 1.5.7 from 9 december 2011

The shell script /data/data/com.googlecode.droidwall.free/app_bin/droidwall.sh 
is writable by any app (or the adb shell), which is really bad I think. Isn't 
this the script which is run as root?

The following is run by the adb shell user, i.e. an unprivileged user. As seen 
all directories in the patch have "x" for other, and the file has "rwx".

$ ls -ld /data                                                 
drwxrwx--x system   system            2012-09-03 01:31 data
$ ls -ld /data/data                                            
drwxrwx--x system   system            2012-11-20 22:12 data
$ ls -ld /data/data/com.googlecode.droidwall.free/             
drwxr-x--x u0_a117  u0_a117           2012-11-20 22:13 
$ ls -ld /data/data/com.googlecode.droidwall.free/app_bin/>
-rwxrwxrwx u0_a117  u0_a117        36 2012-11-20 22:14 droidwall.sh

Original issue reported on code.google.com by mikma...@gmail.com on 20 Nov 2012 at 9:22