Permissions rpm directories
Hi all, This is more or less one for Roman & Co. Is there a compelling reason why the directories under /usr/src/packages should be world writable and readable? theo:/home/theo $ sudo rpm -ql --dump rpm-3.0.4-0 [..] /usr/src/packages/BUILD 35 953918273 041777 root root 0 0 8772 X /usr/src/packages/RPMS 77 953918273 041777 root root 0 0 597 X /usr/src/packages/RPMS/i386 35 953918273 041777 root root 0 0 0 X /usr/src/packages/RPMS/noarch 35 953918273 041777 root root 0 0 18526 X /usr/src/packages/SOURCES 35 953918273 041777 root root 0 0 18707 X /usr/src/packages/SPECS 35 953918273 041777 root root 0 0 18508 X /usr/src/packages/SRPMS 35 953918273 041777 root root 0 0 18504 X What stops a local from messing with sources, (re)builds, specs etc? Theo
Hi all,
This is more or less one for Roman & Co. Is there a compelling reason why the directories under /usr/src/packages should be world writable and readable?
Yes, yes. :-) This enables non-root users to install source rpms. IMO a good idea, but feel free to close these directories if you wish. I've added these directories to the list of additional items for /etc/permissions.easy + /etc/permissions.secure.
theo:/home/theo $ sudo rpm -ql --dump rpm-3.0.4-0 [..] /usr/src/packages/BUILD 35 953918273 041777 root root 0 0 8772 X /usr/src/packages/RPMS 77 953918273 041777 root root 0 0 597 X /usr/src/packages/RPMS/i386 35 953918273 041777 root root 0 0 0 X /usr/src/packages/RPMS/noarch 35 953918273 041777 root root 0 0 18526 X /usr/src/packages/SOURCES 35 953918273 041777 root root 0 0 18707 X /usr/src/packages/SPECS 35 953918273 041777 root root 0 0 18508 X /usr/src/packages/SRPMS 35 953918273 041777 root root 0 0 18504 X
What stops a local from messing with sources, (re)builds, specs etc?
Nothing. srpms + spec files are only needed when a package is supposed to be built.
Theo
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
On Mon, 2 Apr 2001, Roman Drahtmueller wrote:
Yes, yes. :-) This enables non-root users to install source rpms. IMO a good idea, but feel free to close these directories if you wish.
I've added these directories to the list of additional items for /etc/permissions.easy + /etc/permissions.secure.
Can't a user opt to install these at a different location by passing some argument to the rpm program? Would you also make /etc/passwd world-writable because it makes it easier for users to update their password from another account if they forget their password? Maybe a bit drastic but there are never any good excuses for leaving directories world-writable like that. -- Henrik Edlund <henrik@edlund.org> (HE2914-RIPE) http://www.edlund.org/ "They were in the wrong place at the wrong time. Naturally they became heroes." Leia Organa of Alderaan, Senator
I've added these directories to the list of additional items for /etc/permissions.easy + /etc/permissions.secure.
Can't a user opt to install these at a different location by passing some argument to the rpm program?
Sure. mkdir -p usr/src/packages rpm -ihv schnick.spm That works.
Would you also make /etc/passwd world-writable because it makes it easier for users to update their password from another account if they forget their password? Maybe a bit drastic but there are never any good excuses for leaving directories world-writable like that.
If that is suitable, yes. You get what you want in such a system. This comparison lacks some sort of reality, as you claimed right. Feel free to change it if you prefer so. Insert my permissions mumble from the last mail at this place. Roman. -- - - | Roman Drahtmüller <draht@suse.de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
On Mon, 2 Apr 2001, Roman Drahtmueller wrote:
Hi all,
This is more or less one for Roman & Co. Is there a compelling reason why the directories under /usr/src/packages should be world writable and readable?
Yes, yes. :-) This enables non-root users to install source rpms. IMO a good idea, but feel free to close these directories if you wish.
I did as soon as I discovered this.
I've added these directories to the list of additional items for /etc/permissions.easy + /etc/permissions.secure.
Ok, Thanks. Theo
participants (3)
-
Henrik Edlund -
Roman Drahtmueller -
Theo v. Werkhoven