Summary: | sys-apps/portage-2.3.53-r1 - wrong permissions in build directory | ||
---|---|---|---|
Product: | Portage Development | Reporter: | Joakim Tjernlund <joakim.tjernlund> |
Component: | Unclassified | Assignee: | Portage team <dev-portage> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Joakim Tjernlund
2019-01-09 13:39:02 UTC
These permissions are intentional. The clean phase is intended to require root privileges if the ebuild previously executed as root. (In reply to Zac Medico from comment #1) > These permissions are intentional. The clean phase is intended to require > root privileges if the ebuild previously executed as root. But why? Should not a member of portage group be enough? As it, the behaviour is asymetrical: As root I can clean out another users build dir. Yes, it's completely natural for root privileges to be asymmetric in comparison to non-root privileges. (In reply to Zac Medico from comment #3) > Yes, it's completely natural for root privileges to be asymmetric in > comparison to non-root privileges. You said: These permissions are intentional. The clean phase is intended to require root privileges if the ebuild previously executed as root. One could read that as "only the user that created the stuff may rm it" but obviously this is not the case. This boils down to my first Q: why is this the intended behaviour? What problem does is solve? I think we probably should facilitate private per-user PORTAGE_TMPDIR rather than make it easier to interfere with root processes. Anything that allows interference with root processes could be a potential security vulnerability. (In reply to Zac Medico from comment #5) > I think we probably should facilitate private per-user PORTAGE_TMPDIR rather > than make it easier to interfere with root processes. Anything that allows > interference with root processes could be a potential security vulnerability. But interference is already happening, look at .ipc_in/.ipc_out . Could we at least have read privs for portage on everything(look at work) ? The work directory permissions are adjustable with the PORTAGE_WORKDIR_MODE variable. (In reply to Joakim Tjernlund from comment #6) > But interference is already happening, look at .ipc_in/.ipc_out . Existence of vulnerabilities is not justification to introduce more vulnerabilities. (In reply to Zac Medico from comment #7) > The work directory permissions are adjustable with the PORTAGE_WORKDIR_MODE > variable. Thanks, will look at that > > (In reply to Joakim Tjernlund from comment #6) > > But interference is already happening, look at .ipc_in/.ipc_out . > > Existence of vulnerabilities is not justification to introduce more > vulnerabilities. I didn't mean it like so, just that you might want to change privs on these two. |