search

blinksmith / winezeug

Automatically exported from code.google.com/p/winezeug
0 stars 0 forks source link

install-gecko.sh abuses sudo to elevate permissions and perform root operations #239

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. wget http://winezeug.googlecode.com/svn/trunk/install-gecko.sh
2. sh ./install-gecko.sh

(or, if you're paranoid like me:
2. sh -x ./install-gecko.sh
...which is how I spotted this:)

What is the expected output? What do you see instead?
+ set -ex
+ install_gecko wine-1.3.3
+ case $1 in
+ GECKO_VERSION=1.1.0
+ GECKO_SHA1SUM=1b6c637207b6f032ae8a52841db9659433482714
+ GECKO_SUFFIX=.cab
+ test '!' -f /usr/share/wine/gecko/wine_gecko-1.1.0-x86.cab
+ rm -f wine_gecko-1.1.0-x86.cab
+ wget http://downloads.sourceforge.net/wine/wine_gecko-1.1.0-x86.cab
[...stuff...]
++ sha1sum
++ sed 's/(stdin)= //;s/ .*//'
+ gotsum=1b6c637207b6f032ae8a52841db9659433482714
+ '[' 1b6c637207b6f032ae8a52841db9659433482714x '!=' 
1b6c637207b6f032ae8a52841db9659433482714x ']'
+ sudo mkdir -p /usr/share/wine/gecko
+ sudo cp wine_gecko-1.1.0-x86.cab /usr/share/wine/gecko/

What version of the product are you using? On what operating system?

install-gecko.sh d/l'd from svn (timestamp: 2011-03-15 13:07:38 -0400)
Fedora 14 x86_64 with wine-core-1.3.19-1.fc14.i686 installed via yum.

Please provide any additional information below.

Not cool, gang.

It'd be better practice for install-gecko.sh to check for permissions, and bail 
unless it's run as root. Then the USER can choose to run a 'sudo sh 
./install-gecko.sh' if they're so inclined. (Hopefully, first taking the chance 
to give it a second look, so they can see if there's anything suspicious.)

Or, preferably, stay out of /usr/shar/wine/ entirely, if there's any way at all 
to achieve the same thing using a path somewhere under the user's $HOME. 
Personally, I avoid any files being placed into the OS paths except via RPM (or 
obvious exceptions like /var/run/). The lack of a wine-gecko rpm is another 
discussion entirely, but IMHO install-gecko.sh should be extremely reticent 
about "overriding" the system's install management and taking liberties with 
/usr/share/.

Original issue reported on code.google.com by ferd...@gmail.com on 18 May 2011 at 10:03