[opensuse-packaging] cleaning the buildroot correctly
Hi, darix asked me to post this ;) Quite some time ago we had the discussion how the buildroot should be created in a secure way in %install. BAD: %install rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/usr/... or make install Why? RPM_BUILD_ROOT is within /var/tmp and you just opened a trivial race condition to a local attacker on your machine to take over your account (or event root if you build as root). It is better not to "rm -rf $RPM_BUILD_ROOT" in %install at all (and rely on %clean to do it). If you want to clean it, better do: %install rm -rf $RPM_BUILD_ROOT mkdir $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/usr ... or make install In this case the "mkdir $RPM_BUILD_ROOT" would fail and the build would abort if an attacker tries to replace the buildroot by his own symlink. (or similar ;) Ciao, Marcus -- Working, but not speaking for the following german company: SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
On 2007-02-14 18:02:22 +0100, Marcus Meissner wrote:
darix asked me to post this ;)
thanks!:)
Quite some time ago we had the discussion how the buildroot should be created in a secure way in %install.
BAD: %install rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/usr/... or make install
Why?
RPM_BUILD_ROOT is within /var/tmp and you just opened a trivial race condition to a local attacker on your machine to take over your account (or event root if you build as root).
It is better not to "rm -rf $RPM_BUILD_ROOT" in %install at all (and rely on %clean to do it).
If you want to clean it, better do: %install rm -rf $RPM_BUILD_ROOT mkdir $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/usr ... or make install
In this case the "mkdir $RPM_BUILD_ROOT" would fail and the build would abort if an attacker tries to replace the buildroot by his own symlink.
(or similar ;)
for suse based distributions there is no need for rm -rf $BUILD_ROOT as our rpm is taking care of this for you. so if you just care about packaging for suse leave the rm line out. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
Hi,
If you want to clean it, better do: %install rm -rf $RPM_BUILD_ROOT mkdir $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/usr ... or make install
Or even more trivial: rm -rf $RPM_BUILD_ROOT/* Also note that %clean is not the same as %install. It becomes increasingly popular these days to remove rm -rf $RPM_BUILD_ROOT from %clean. Maybe some day rpm will make this obsolete, but right now it does not (yet) and other than within %install, doing this within %clean does _not_ open a race condition. Not doing this causes your package to leave stale tmp files behind, preventing other users from rebuilding the same package on the same machine. Andreas Hanke -- Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten Browser-Versionen downloaden: http://www.gmx.net/de/go/browser --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
Hi, On Wed, 14 Feb 2007 at 22:46, andreas.hanke@gmx-topmail.de wrote:
rm -rf $RPM_BUILD_ROOT/*
I think this is vulnreable to a symlink attack. If somebody has created $RPM_BUILD_ROOT as a symlink that points to your home dir, then rm -rf $RPM_BUILD_ROOT will be save, as it either removes the symlink or fails if you don't have permission to remove it, but rm -rf $RPM_BUILD_ROOT/* will "clean up" your home dir. cu Reinhard --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
Hi,
If somebody has created $RPM_BUILD_ROOT as a symlink that points to your home dir, then
rm -rf $RPM_BUILD_ROOT
will be save, as it either removes the symlink or fails if you don't have permission to remove it, but
rm -rf $RPM_BUILD_ROOT/*
will "clean up" your home dir.
If somebody has created $RPM_BUILD_ROOT as a symlink, %build will correct that securely: + /bin/rm -rf /var/tmp/gnucash-docs-2.0.1-build ++ dirname /var/tmp/gnucash-docs-2.0.1-build + /bin/mkdir -p /var/tmp + /bin/mkdir /var/tmp/gnucash-docs-2.0.1-build Andreas Hanke -- Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten Browser-Versionen downloaden: http://www.gmx.net/de/go/browser --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
On Thu, Feb 15, 2007 at 02:31:29PM +0100, andreas.hanke@gmx-topmail.de wrote:
Hi,
If somebody has created $RPM_BUILD_ROOT as a symlink that points to your home dir, then
rm -rf $RPM_BUILD_ROOT
will be save, as it either removes the symlink or fails if you don't have permission to remove it, but
rm -rf $RPM_BUILD_ROOT/*
will "clean up" your home dir.
If somebody has created $RPM_BUILD_ROOT as a symlink, %build will correct that securely:
+ /bin/rm -rf /var/tmp/gnucash-docs-2.0.1-build ++ dirname /var/tmp/gnucash-docs-2.0.1-build + /bin/mkdir -p /var/tmp + /bin/mkdir /var/tmp/gnucash-docs-2.0.1-build
Well, if you rely on this then there is no point in the above command anyway. Robert -- Robert Schiele Dipl.-Wirtsch.informatiker mailto:rschiele@gmail.com "Quidquid latine dictum sit, altum sonatur."
participants (5)
-
andreas.hanke@gmx-topmail.de -
Marcus Meissner -
Marcus Rueckert -
Reinhard Max -
Robert Schiele