When emerging gaim, /var/tmp/portage/gaim-0.59.6 and files have world write. IMHO, this is a significant security issue.
*** Bug 11820 has been marked as a duplicate of this bug. ***
0755 /var/tmp/portage/ 0755 /var/tmp/portage/gaim-0.59.6 0755 /var/tmp/portage/gaim-0.59.6/temp 0600 /var/tmp/portage/gaim-0.59.6/temp/* 0700 /var/tmp/portage/gaim-0.59.6/work/ 0777 /var/tmp/portage/gaim-0.59.6/work/gaim-0.59.6/ As you can't get to that last directory, I don't see a problem. This is an upstream issue... They shouldn't be releasing tarballs with 0777 permissions. I'll see about correcting it though.
Thanks for getting right on this. Perhaps it would be a safe to assume every package could be unpacked world writable. When I was submitting the bug, I was thinking that it might be a good idea to always "chown -R root.root; chmod -R o-w package" after unpacking a package. You are right that the privilages on the work directory block access, but what if someone accidentally with some future version of portage? Yes, I am one of those paranoid security guys. I guess I am making an argument for layered security. For example, many people will leave daemons unsecured becuase they have a firewall. Later these people learn a harsh lesson when they are comprimised because they accidentally left their firewall misconfigured, even if for only a short time. Thanks again.
It's ok.
