[sbopkg-discuss] Re: Package ownership
Chess Griffin
chess at chessgriffin.com
Wed Feb 11 12:31:45 UTC 2009
* Phillip Warner <phillip.c.warner at gmail.com> [2009-02-11 05:39:23]:
> >
> This is not true. When a root user runs an SBo SlackBuild the created
> package *cannot* be overwritten by a normal user since the package has
> root:root perms with no 'others' write access. It is true that a user
> could stick a fake package with a similar name in TMP, but the admin
> should be making sure that the package they are installing has the
> correct perms/ownership before installing it, and sbopkg should do the
> same since it automates these build/install steps.
>
I understand -- I guess my point is, if installpkg does not check for
perms, then should sbopkg since it just calls installpkg (assuming only
root can install packages in sbopkg)? And since the default SBo
behavior is to save the resulting packages in the same world-writable
directory, /tmp, then again this *might* open the door to other
modifications like you suggest. Either way, these problems are not
specific to sbopkg. Sbopkg is just a 'front-end' to installpkg, in
other words.
In any event, if we decide to go forward with the idea of changing
sbopkg so it sits in /usr/sbin and must be run as root, like slackpkg
and the various *pkg tools, then presumably this issue is moot because
the resulting packages from sbopkg would have the root:root perms?
Perhaps a warning the package does not have root:root perms would be a
good idea, regardless.
This is a good discussion, thanks!
--
Chess Griffin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://sbopkg.org/pipermail/sbopkg-users/attachments/20090211/43e508d2/attachment.sig>
More information about the sbopkg-users
mailing list