Comment 1 Albert Hopkins (RETIRED) 2006-11-23 07:56:06 UTC

Actually looking further, some of the files are owned by mythtv (uid=gid=103):

117696    4 -rw-r--r--   1 mythtv   mythtv        423 Nov 23 09:36 /usr/share/emerald/themes/Canopy/buttons.sticky.png
117692    4 -rw-r--r--   1 mythtv   mythtv        742 Nov 23 09:36 /usr/share/emerald/themes/Canopy/buttons.shade.png
117686    4 -rw-r--r--   1 mythtv   mythtv        311 Nov 23 09:36 /usr/share/emerald/themes/Canopy/buttons.restore.png
117685    4 -rw-r--r--   1 mythtv   mythtv        313 Nov 23 09:36 /usr/share/emerald/themes/Canopy/buttons.max.png
117691    4 -rw-r--r--   1 mythtv   mythtv        257 Nov 23 09:36 /usr/share/emerald/themes/Canopy/buttons.menu.png
[...]

Comment 2 Matthias Geerdsen (RETIRED) 2006-12-05 12:06:08 UTC

unrestricting, so bug-wranglers can access this

I don't see a real security impact here at the moment. Correct me if I am overlooking something though, since I'm getting quite tired...

Comment 3 Jakub Moc (RETIRED) 2006-12-05 12:09:45 UTC

BTW, nesl247@bery-project.org doesn't match any bugzilla alias, nor does a typo-fixed one match anything. Please fix metadata.xml

Comment 4 Albert Hopkins (RETIRED) 2006-12-05 16:05:33 UTC

Well a local user with uid=1000 and/or mythtv has the capacity to remove/overwrite files/directories as well as potentially fill the /usr filesystem, bypass quotas, etc. Probably not a *major* security issue (e.g. gain root access) but a security issue nonetheless.

Comment 5 Joshua Jackson (RETIRED) 2006-12-05 16:16:07 UTC

that is a bit funky and I'll look into it. See why its creating such funky group user combinations.

Comment 6 Joshua Jackson (RETIRED) 2006-12-07 13:31:26 UTC

This should now be fixed. The tar files have some really funky user/groups and I am ignoring them so it should work fine in the -r1 now. It should also be fixed upstream later down the line.