Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 159252

Summary: installsources (in prepstrip) preserves perms, owner, etc.
Product: Portage Development Reporter: Ed Catmur <ed>
Component: Core - Ebuild SupportAssignee: Portage team <dev-portage>
Status: RESOLVED FIXED    
Severity: normal CC: tester
Priority: High Keywords: InVCS
Version: 2.1   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 147007    
Attachments: installsources-safe-copy.patch

Description Ed Catmur 2006-12-27 16:37:34 UTC
prepstrip has:

			cat "${T}"/debug.sources | (cd "${WORKDIR}"; LANG=C sort -z -u | \
				rsync -aL0 --files-from=- "${WORKDIR}/" "${D}${sources_dir}/" )

rsync(1) says:
        -a, --archive               archive mode; equals -rlptgoD (no -H,-A,-X)
...
        -r, --recursive             recurse into directories
        -l, --links                 copy symlinks as symlinks
        -p, --perms                 preserve permissions
        -t, --times                 preserve times
        -g, --group                 preserve group
        -o, --owner                 preserve owner (super-user only)
            --devices               preserve device files (super-user only)
            --specials              preserve special files
        -D                          same as --devices --specials

This means that installsources will happily copy world-writable source files over; possible security hole? World-writable source files seem to happen a lot when using a git.eclass ebuild, but may arise elsewise.

Suggest: rsync -rtL0 etc. All we need is recursive; times are nice as well. Copying perms, owner and group is potentially harmful; preserving devices and specials is just silly.
Comment 1 Ed Catmur 2006-12-27 16:44:54 UTC
Created attachment 104824 [details, diff]
installsources-safe-copy.patch

Patch against 2.1.2_rc4-r1: use -rtL0

btw, -L is --copy-links "transform symlink into referent file/dir", see bug 144928
Comment 2 Zac Medico gentoo-dev 2006-12-28 13:19:14 UTC
This is in svn r5408.  Thanks.
Comment 3 Zac Medico gentoo-dev 2006-12-28 19:10:45 UTC
This has been released in 2.1.2_rc4-r2.