| Summary: | security: world write in /var/tmp/portage while emerging | ||
|---|---|---|---|
| Product: | Portage Development | Reporter: | Tony Walker <tonlwalk> |
| Component: | Unclassified | Assignee: | Nicholas Jones (RETIRED) <carpaski> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | trivial | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Tony Walker
2002-12-08 22:26:34 UTC
*** Bug 11820 has been marked as a duplicate of this bug. *** 0755 /var/tmp/portage/ 0755 /var/tmp/portage/gaim-0.59.6 0755 /var/tmp/portage/gaim-0.59.6/temp 0600 /var/tmp/portage/gaim-0.59.6/temp/* 0700 /var/tmp/portage/gaim-0.59.6/work/ 0777 /var/tmp/portage/gaim-0.59.6/work/gaim-0.59.6/ As you can't get to that last directory, I don't see a problem. This is an upstream issue... They shouldn't be releasing tarballs with 0777 permissions. I'll see about correcting it though. Thanks for getting right on this. Perhaps it would be a safe to assume every package could be unpacked world writable. When I was submitting the bug, I was thinking that it might be a good idea to always "chown -R root.root; chmod -R o-w package" after unpacking a package. You are right that the privilages on the work directory block access, but what if someone accidentally with some future version of portage? Yes, I am one of those paranoid security guys. I guess I am making an argument for layered security. For example, many people will leave daemons unsecured becuase they have a firewall. Later these people learn a harsh lesson when they are comprimised because they accidentally left their firewall misconfigured, even if for only a short time. Thanks again. It's ok. |
