Mailinglist Archive: opensuse-factory (599 mails)
| < Previous | Next > |
Re: [opensuse-factory] Running a program when launching the SUSE install part
- From: Andreas Hanke <andreas.hanke@xxxxxxxxxxxxxx>
- Date: Sun, 06 Aug 2006 19:26:33 +0200
- Message-id: <44D62649.5070802@xxxxxxxxxxxxxx>
Hi,
houghi schrieb:
> Would `yast -i /tmp/file.rpm` solve that? I asume only after a createrepo
> (or something similar)
No, "yast -i filename.rpm" is equivalent to "rpm -U --nodeps --force
filename.rpm".
"createrepo" followed by "yast -i packagename" would work, but it's
insecure (YaST could install the wrong package if a different
installation source contains a newer version of the same package -
remember that newer is not always better).
Side note: The current, broken situation in 10.1 is even more insecure
because it can install an _old_ version if that incidentally exists in
one of the working installation sources.
> About /usr/src/packages/RPMS being writable by default. That is indeed a
> much more serious issue. You can not then use that as a default. Is there
> a reason that it is writabel for all?
The permissions of /usr/src/packages are handled by the permissions
system, i.e. /etc/permissions.*. You can change the permissions settings
in /etc/sysconfig/security. Run "SuSEconfig --module permissions"
afterwards.
I don't know whether this default is really a security problem, but
making it writable by root only means that only root can build RPMs
unless the user sets %_topdir in his ~/.rpmmacros file.
Changing that would doing things like creating ATI driver RPMs a tiny
little bit longer because the user would have to perform one additional
step (create ~/.rpmmacros or, much worse, do it as root). Not a severe
problem, but it would have to be documented.
Andreas Hanke
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory-unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory-help@xxxxxxxxxxxx
houghi schrieb:
> Would `yast -i /tmp/file.rpm` solve that? I asume only after a createrepo
> (or something similar)
No, "yast -i filename.rpm" is equivalent to "rpm -U --nodeps --force
filename.rpm".
"createrepo" followed by "yast -i packagename" would work, but it's
insecure (YaST could install the wrong package if a different
installation source contains a newer version of the same package -
remember that newer is not always better).
Side note: The current, broken situation in 10.1 is even more insecure
because it can install an _old_ version if that incidentally exists in
one of the working installation sources.
> About /usr/src/packages/RPMS being writable by default. That is indeed a
> much more serious issue. You can not then use that as a default. Is there
> a reason that it is writabel for all?
The permissions of /usr/src/packages are handled by the permissions
system, i.e. /etc/permissions.*. You can change the permissions settings
in /etc/sysconfig/security. Run "SuSEconfig --module permissions"
afterwards.
I don't know whether this default is really a security problem, but
making it writable by root only means that only root can build RPMs
unless the user sets %_topdir in his ~/.rpmmacros file.
Changing that would doing things like creating ATI driver RPMs a tiny
little bit longer because the user would have to perform one additional
step (create ~/.rpmmacros or, much worse, do it as root). Not a severe
problem, but it would have to be documented.
Andreas Hanke
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory-unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory-help@xxxxxxxxxxxx
| < Previous | Next > |