Hacker News new | past | comments | ask | show | jobs | submit login

From the default linux install script for OpenFL (http://www.openfl.org/haxe-3.1.1-linux-installer.tar.gz):

# Set up haxelib

                sudo mkdir -p /usr/lib/haxe/lib
                sudo chmod -R 777 /usr/lib/haxe/lib
                sudo haxelib setup /usr/lib/haxe/lib
This isn't as bad as I originally thought; I tested this, and only that directory itself is world-writable (the sub-directories from haxe install foo are universally readable and executable, but not writable). Still seems like someone could install a malicious 'dependency' ahead of someone else needing it.



Oh, I remember seeing this last time I looked at this. I generally don't like seeing sudo/su in a script like this at all -- and especially not something that goes an messes with LSB-locations like /usr/lib.

FWIW, the actual software is download by the script, eg: http://haxe.org/file/haxe-3.1.1-linux64.tar.gz

For something that is aimed at developers, one would think this stuff installed under /usr/local or /opt (benefit of /usr/local is that most(?) distributions set up PATH,MANPATH, various link/library paths etc to include /usr/local. Benefit of /opt is keeping the package well "out of the way".

World writeable directories without a sticky-bit is generally just wrong -- under /usr/lib it's pretty terrible.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: