Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 215001

Summary: sys-power/nut ebuild cleanup
Product: Gentoo Linux Reporter: Rajiv Aaron Manglani (RETIRED) <rajiv>
Component: New packagesAssignee: Robin Johnson <robbat2>
Status: RESOLVED INVALID    
Severity: trivial    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2008-03-27 01:39:03 UTC 
On Saturday 15 March 2008, Donnie Berkholz wrote:
> 1.1                  sys-power/nut/nut-2.2.1.ebuild
>
> file :
> http://sources.gentoo.org/viewcvs.py/gentoo-x86/sys-power/nut/nut-2.2.1.e
>build?rev=1.1&view=markup plain:
> http://sources.gentoo.org/viewcvs.py/gentoo-x86/sys-power/nut/nut-2.2.1.e
>build?rev=1.1&content-type=text/plain
>
> src_install() {
>
...
>
>     eval fperms 0640 ${NUT_PRIVATE_FILES}
>     eval fowners root:nut ${NUT_PRIVATE_FILES}
>
>     eval fperms 0644 ${NUT_PUBLIC_FILES}
>     eval fowners root:root ${NUT_PUBLIC_FILES}
>
...
>
> pkg_postinst() {
>     # this is to ensure that everybody that installed old versions still has
>     # correct permissions
>
>     chown nut:nut "${ROOT}"/var/lib/nut 2>/dev/null
>     chmod 0700 "${ROOT}"/var/lib/nut 2>/dev/null
>
>     eval chown root:nut "${ROOT}"${NUT_PRIVATE_FILES} 2>/dev/null
>     eval chmod 0640 "${ROOT}"${NUT_PRIVATE_FILES} 2>/dev/null
>
>     eval chown root:root "${ROOT}"${NUT_PUBLIC_FILES} 2>/dev/null
>     eval chmod 0644 "${ROOT}"${NUT_PUBLIC_FILES} 2>/dev/null
>
Is there any reason why eval is used in either of these places?
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-03-27 20:53:43 UTC 
The two variables NUT_PRIVATE_FILES and NUT_PUBLIC_FILES contain shell expansions, and unless the eval is used, the chmod/chown/fperms/fowners calls do NOT work properly.

If you do s/eval//g, and try to package, you get this:
chmod: cannot access `/dev/shm/portage/sys-power/nut-2.2.1/image//etc/nut/{upsd.conf,upsd.users,upsmon.conf}': No such file or directory
chown: cannot access `/dev/shm/portage/sys-power/nut-2.2.1/image//etc/nut/{upsd.conf,upsd.users,upsmon.conf}': No such file or directory
chmod: cannot access `/dev/shm/portage/sys-power/nut-2.2.1/image//etc/nut/{{hosts,upsset,ups,upssched}.conf,upsstats{,-single}.html}': No such file or directory
chown: cannot access `/dev/shm/portage/sys-power/nut-2.2.1/image//etc/nut/{{hosts,upsset,ups,upssched}.conf,upsstats{,-single}.html}': No such file or directory

This leads to the nut configuration files w/ password details having insecure permissions.