Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 4352 - Tiny security hole allows users to update the tree
Summary: Tiny security hole allows users to update the tree
Status: RESOLVED FIXED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Unclassified (show other bugs)
Hardware: x86 Linux
: High critical (vote)
Assignee: Daniel Robbins (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2002-06-30 12:18 UTC by Matteo Sasso
Modified: 2011-10-30 22:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matteo Sasso 2002-06-30 12:18:12 UTC 
Logging as a wheel users and trying an "emerge sync", as expected, displays a warning because only root is allowed to do that operation. It also says that wheel users are only allowed to --pretend. So I tried an "emerge sync -cp" and it bypasses security: the sync is executed since portage cannot "--pretend" it! So all modifications to the portage tree are lost. I think it's a bug and that it should be fixed by not allowing the --pretend option within a sync. Ain't it?
Comment 1 Daniel Robbins (RETIRED) gentoo-dev 2002-07-11 03:25:08 UTC 
Will be fixed in Portage 2.0.12.  Thanks :)  I also fixed "inject."