On Mon, Jun 11, 2007 at 05:01:11PM +0200, Martin Vidner wrote:
On Mon, Jun 11, 2007 at 04:46:50PM +0200, Stanislav Vi????ovský wrote:
D??a Po 11. Jún 2007 16:31 Duncan Mac-Vicar Prett napísal:
- url variables "plugins": -> provide the basc ones built-in (arch, releasever, etc) -> in zypp.conf [url-variables] foo=/somescript.sh
or by convention (just drop a script in /etc/zypp/urlvars/foo )
I expect the location to be root-writeable only ;-) This might be a big security hole if done improperly.
Yes, remember that with yast2-metapackage-handler.rpm and related browser enablement, the user can cause much processing of untrusted data before being asked for confirmation.
We should explicitly drop root privileges for the variable plugins, plus watch out for a DoS.
Hmm. This is problematic as my system id plugin requires root privileges to do its job. Not sure exactly what you are proposing here, but it may affect me. As a point of comparison, when my plugin is run on yum as non-root, it simply doesnt fill in the variable. This is ok, as yum is always run as root to do actual package install. I dont know enough about zypp to make the same statement there. Is package install only done by root? If so, will the plugins have root permissions? -- Michael -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org