Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 159252 - installsources (in prepstrip) preserves perms, owner, etc.
Summary: installsources (in prepstrip) preserves perms, owner, etc.
Status: RESOLVED FIXED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core - Ebuild Support (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Portage team
URL:
Whiteboard:
Keywords: InVCS
Depends on:
Blocks: 147007
  Show dependency tree
 
Reported: 2006-12-27 16:37 UTC by Ed Catmur
Modified: 2006-12-28 19:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
installsources-safe-copy.patch (installsources-safe-copy.patch,447 bytes, patch)
2006-12-27 16:44 UTC, Ed Catmur 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ed Catmur 2006-12-27 16:37:34 UTC 
prepstrip has:

			cat "${T}"/debug.sources | (cd "${WORKDIR}"; LANG=C sort -z -u | \
				rsync -aL0 --files-from=- "${WORKDIR}/" "${D}${sources_dir}/" )

rsync(1) says:
        -a, --archive               archive mode; equals -rlptgoD (no -H,-A,-X)
...
        -r, --recursive             recurse into directories
        -l, --links                 copy symlinks as symlinks
        -p, --perms                 preserve permissions
        -t, --times                 preserve times
        -g, --group                 preserve group
        -o, --owner                 preserve owner (super-user only)
            --devices               preserve device files (super-user only)
            --specials              preserve special files
        -D                          same as --devices --specials

This means that installsources will happily copy world-writable source files over; possible security hole? World-writable source files seem to happen a lot when using a git.eclass ebuild, but may arise elsewise.

Suggest: rsync -rtL0 etc. All we need is recursive; times are nice as well. Copying perms, owner and group is potentially harmful; preserving devices and specials is just silly.
Comment 1 Ed Catmur 2006-12-27 16:44:54 UTC 
Created attachment 104824 [details, diff]
installsources-safe-copy.patch

Patch against 2.1.2_rc4-r1: use -rtL0

btw, -L is --copy-links "transform symlink into referent file/dir", see bug 144928
Comment 2 Zac Medico gentoo-dev 2006-12-28 13:19:14 UTC 
This is in svn r5408.  Thanks.
Comment 3 Zac Medico gentoo-dev 2006-12-28 19:10:45 UTC 
This has been released in 2.1.2_rc4-r2.