<div class="gmail_quote">On Wed, Feb 11, 2009 at 6:31 AM, Chess Griffin <span dir="ltr"><<a href="mailto:chess@chessgriffin.com">chess@chessgriffin.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d"><br>
</div>I understand -- I guess my point is, if installpkg does not check for<br>
perms, then should sbopkg since it just calls installpkg (assuming only<br>
root can install packages in sbopkg)? And since the default SBo<br>
behavior is to save the resulting packages in the same world-writable<br>
directory, /tmp, then again this *might* open the door to other<br>
modifications like you suggest. Either way, these problems are not<br>
specific to sbopkg. Sbopkg is just a 'front-end' to installpkg, in<br>
other words.<br>
<br>
In any event, if we decide to go forward with the idea of changing<br>
sbopkg so it sits in /usr/sbin and must be run as root, like slackpkg<br>
and the various *pkg tools, then presumably this issue is moot because<br>
the resulting packages from sbopkg would have the root:root perms?</blockquote><div><br>Making sure that sbopkg is only run by root makes no difference for this issue as sbopkg still would be able to install bad packages not created by sbopkg.<br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
Perhaps a warning the package does not have root:root perms would be a<br>
good idea, regardless.<br>
<br></blockquote></div>Yes. You could also keep a private list of the packages (with file times) built and ready to be installed and remove them from the list after they have been moved/deleted. Another great idea would be to allow the admin to optionally have more info about the package before installing it. Output of 'ls -l', a cat of doinst.sh and perhaps the .SlackBuild file, and a total list of contents would be useful. If nothing else then the warning and 'ls -l' output may suffice. That way the permissions and time of creation could be seen and the warning would make it obvious it the perms were off.<br>
<br>But what happens if two legitimate SBo packages for the same software are created? Right now you are only given the option to install one of them. You may want to install the other pacakge instead. If instead you were shown a 'ls -l' of all the matching packages and then were allowed to choose which one to install all of this would be more sane.<br>
<br>--phillip<br><br>
--~--~---------~--~----~------------~-------~--~----~<br>
You received this message because you are subscribed to the Google Groups "sbopkg-discuss" group. <br> To post to this group, send email to sbopkg-discuss@googlegroups.com <br> To unsubscribe from this group, send email to sbopkg-discuss+unsubscribe@googlegroups.com <br> For more options, visit this group at http://groups.google.com/group/sbopkg-discuss?hl=en<br>
-~----------~----~----~----~------~----~------~--~---<br>
<br>