On Sun, Aug 06, 2006 at 07:26:33PM +0200, Andreas Hanke wrote:
I don't know whether this default is really a security problem, but making it writable by root only means that only root can build RPMs unless the user sets %_topdir in his ~/.rpmmacros file.
I would think that this could be a security problem if used together with createrepo. (This goes for any writable directory where you run createrepo on) e.g. 1) Make a makeSUSEdvd rpm and give it a version of 0.99 2) Wait till the new version 0.35 is out and ask the admin to install that RPM 3) He downloads the RPM and installs it with YaST. Most likely not looking what version he is installing. YaST will (re-)install the latest version. Whatever you put in that RPM is now installed. So you must see that the directories you add as an installation source can't be compromised. I am the only user, so no real danger, but on a multi-user system this can be an issue, so adding /usr/src/packages/RPMS by default is not an option, I think. -- Listen do you hear them drawing near in their search for the sinners? Feeding on the power of our fear and the evil within us. Incarnation of Satan's creation of all that we dread. When the demons arrive those alive would be better off dead! --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org