[sbopkg-discuss] Re: Package ownership
Phillip Warner
phillip.c.warner at gmail.com
Wed Feb 11 11:39:23 UTC 2009
On 2/10/09, Chess Griffin <chess at chessgriffin.com> wrote:
> It would seem to me that the same spoof could happen by a root user
> running an SBo SlackBuild outside, which saves a package to /tmp,
> another user coming along and makes a fake package and overwrites the
> one in /tmp, which root then installs at a later date.
>
> It seems that all of these spoofs involving the SlackBuild, the .info
> file, and the resulting package are inherent in the SBo and SlackBuild
> system, and not sbopkg-specific.
>
This is not true. When a root user runs an SBo SlackBuild the created
package *cannot* be overwritten by a normal user since the package has
root:root perms with no 'others' write access. It is true that a user
could stick a fake package with a similar name in TMP, but the admin
should be making sure that the package they are installing has the
correct perms/ownership before installing it, and sbopkg should do the
same since it automates these build/install steps.
Also, before I install packages I run some custom scripts on them to
do various sanity checks on them. Perhaps you can let sbopkg have the
option to run a post-build script before installing. The config
option could just point to the script to run and its output would
simply be shown on the console after which sbopkg will regain control
after keyboard input.
If people don't like the root:root sanity check then I again suggest
that you make it possible to turn it off (leave it on by default) by a
simple config switch. If nothing else, adding a post-build script
option would let me keep this in myself without having to patch every
new sbopkg version.
--phillip
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "sbopkg-discuss" group.
To post to this group, send email to sbopkg-discuss at googlegroups.com
To unsubscribe from this group, send email to sbopkg-discuss+unsubscribe at googlegroups.com
For more options, visit this group at http://groups.google.com/group/sbopkg-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
More information about the sbopkg-users
mailing list