[sbopkg-discuss] Re: Package ownership

Phillip Warner phillip.c.warner at gmail.com
Wed Feb 11 17:23:24 UTC 2009 

On Wed, Feb 11, 2009 at 6:31 AM, Chess Griffin <chess at chessgriffin.com>wrote:

>
> I understand -- I guess my point is, if installpkg does not check for
> perms, then should sbopkg since it just calls installpkg (assuming only
> root can install packages in sbopkg)?  And since the default SBo
> behavior is to save the resulting packages in the same world-writable
> directory, /tmp, then again this *might* open the door to other
> modifications like you suggest.  Either way, these problems are not
> specific to sbopkg.  Sbopkg is just a 'front-end' to installpkg, in
> other words.
>
> In any event, if we decide to go forward with the idea of changing
> sbopkg so it sits in /usr/sbin and must be run as root, like slackpkg
> and the various *pkg tools, then presumably this issue is moot because
> the resulting packages from sbopkg would have the root:root perms?


Making sure that sbopkg is only run by root makes no difference for this
issue as sbopkg still would be able to install bad packages not created by
sbopkg.


> Perhaps a warning the package does not have root:root perms would be a
> good idea, regardless.
>
> Yes.  You could also keep a private list of the packages (with file times)
built and ready to be installed and remove them from the list after they
have been moved/deleted.  Another great idea would be to allow the admin to
optionally have more info about the package before installing it.  Output of
'ls -l', a cat of doinst.sh and perhaps the .SlackBuild file, and a total
list of contents would be useful.  If nothing else then the warning and 'ls
-l' output may suffice.  That way the permissions and time of creation could
be seen and the warning would make it obvious it the perms were off.

But what happens if two legitimate SBo packages for the same software are
created?  Right now you are only given the option to install one of them.
You may want to install the other pacakge instead.  If instead you were
shown a 'ls -l' of all the matching packages and then were allowed to choose
which one to install all of this would be more sane.

--phillip

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "sbopkg-discuss" group.
To post to this group, send email to sbopkg-discuss at googlegroups.com
To unsubscribe from this group, send email to sbopkg-discuss+unsubscribe at googlegroups.com
For more options, visit this group at http://groups.google.com/group/sbopkg-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sbopkg.org/pipermail/sbopkg-users/attachments/20090211/e5577c41/attachment.htm>

More information about the sbopkg-users mailing list