Hi, people got tired of all those Windows vulnerabilities, in particular spyware, which i consider very nasty. Yet, i'm writing from a Win box (with Thunderbird, at least ;) till i can chose the most pratical e-mail client in KDE (either Thunderbird, or Kmail as i used before). But that is OT, and might be for another thread. What really bothers me is what you guys pointed out: quoting Jorge: "That means, for ejemplo, that if the package contains files that will go into sensible dirs like /etc, /usr etc, all of them will belong to user kosta, which is ugly. ;-)" So, suppose that someone builds rpms with those directives (%deffatr, ...) with "common" user names, like "mike", "dave", etc. (not like "kosta", rather unusual..) with the purpose to compromise, "statistically", those machines? Would that be possible? If yes, wouldn't it be a severe security flaw?? i can't believe that!! We enjoy Linux for many reasons, and i think that at least once is to have some security integrity, not like the other OS mentionned. I wish i am wrong, and that a distributed rpm in places not as "reliable" as sourceforge, packman, etc. could not lead anyone to having his/hers Linux box compromised. Cheers, PatrickM Jorge Luis Arzola wrote:
Hi:
Moreover... the bug in the package most be the following: the packager forgot to use the %defattr directive in the %files section of the spec file used to build the package, so persmissions on the files were set acordingly, and not to root, as the %deffattr directive should have done. As said here before, it's just a small bug in the rpm package, as long a any user called kosta exist in the system...But hey, things get worse if by chance a user called kosta does exist in the system...In that case, for example, user kosta(and *NOT root) will own in the system **every file within the rpm pkg, as well as every folder in their path...That means, for ejemplo, that if the package contains files that will go into sensible dirs like /etc, /usr etc, all of them will belong to user kosta, which is ugly. ;-) In fact, even official suse packages(which come with the distro) have had this *bug in the past, as the packager forgets the mentioned directive. And I myself have found a beagle(not a suse one) package with this error the other day.
cheers
jorge
On 11/6/05, ajtiM
wrote: On Sunday 06 November 2005 15:41, Pascal Bleser wrote:
ajtiM wrote:
I installed package abcde with Synaptic and i got warnings:: While installing package abcde-2.3.3-0.pm.0: warning: user kosta does not exist - using root
...
What is wrong, please?
Nothing bad. RPM packages include a list of files that are installed (which is, obviously, the primary goal of RPM packages ;)).
It also stores information about access rights, owner user and owner group. It's just a slight bug in the package, as the files have been stored as belonging to a user named "kosta" (who is most probably the person who made the package ;)). When installing the package, RPM also applies a "chown kosta" on the files, notices there's no user named "kosta" on your system and falls back to chown'ing them to root. It just gives you a warning that it did so.
Nothing bad, will work just fine, but a small bug in the package.
Please file a bug report to Packman => packman@links2linux.de and it will be fixed.
cheers
Thank you very much to everyone for explanation :)
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-help@opensuse.org