# ls -l `epm -ql emerald-themes`|less -rw-r--r-- 1 1000 1000 1109 Nov 23 09:36 /usr/share/emerald/themes/Adonis/buttons.above.png -rw-r--r-- 1 1000 1000 1517 Nov 23 09:36 [...] Luckily (for me) I don't have a user with uid=1000
Actually looking further, some of the files are owned by mythtv (uid=gid=103): 117696 4 -rw-r--r-- 1 mythtv mythtv 423 Nov 23 09:36 /usr/share/emerald/themes/Canopy/buttons.sticky.png 117692 4 -rw-r--r-- 1 mythtv mythtv 742 Nov 23 09:36 /usr/share/emerald/themes/Canopy/buttons.shade.png 117686 4 -rw-r--r-- 1 mythtv mythtv 311 Nov 23 09:36 /usr/share/emerald/themes/Canopy/buttons.restore.png 117685 4 -rw-r--r-- 1 mythtv mythtv 313 Nov 23 09:36 /usr/share/emerald/themes/Canopy/buttons.max.png 117691 4 -rw-r--r-- 1 mythtv mythtv 257 Nov 23 09:36 /usr/share/emerald/themes/Canopy/buttons.menu.png [...]
unrestricting, so bug-wranglers can access this I don't see a real security impact here at the moment. Correct me if I am overlooking something though, since I'm getting quite tired...
BTW, nesl247@bery-project.org doesn't match any bugzilla alias, nor does a typo-fixed one match anything. Please fix metadata.xml
Well a local user with uid=1000 and/or mythtv has the capacity to remove/overwrite files/directories as well as potentially fill the /usr filesystem, bypass quotas, etc. Probably not a *major* security issue (e.g. gain root access) but a security issue nonetheless.
that is a bit funky and I'll look into it. See why its creating such funky group user combinations.
This should now be fixed. The tar files have some really funky user/groups and I am ignoring them so it should work fine in the -r1 now. It should also be fixed upstream later down the line.