41708 – emerge makes files in /tmp, not very secure

Bug 41708 - emerge makes files in /tmp, not very secure

Summary: emerge makes files in /tmp, not very secure

Status:	RESOLVED DUPLICATE of bug 21923

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Core (show other bugs)
Hardware:	All Linux

Importance:	High critical (vote)
Assignee:	Portage team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-02-15 15:31 UTC by Toni DiBoulda
Modified:	2005-07-17 13:06 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Toni DiBoulda 2004-02-15 15:31:45 UTC

Reproducible: Always
Steps to Reproduce:
1. cd /tmp
2. mkdir sandboxpids.tmp
3. emerge something
4. watch very confusing error message
(steps 1, 2 and 4 done as any user, need to be root for step 3)


Actual Results:  
Calculating dependencies ...done!
>>> emerge (1 of 1) some-cat/something to /
>>> md5 src_uri ;-) something.tar.gz
>>> /tmp/sandboxpids.tmp is not a regular file>>> pids file write: Bad address


Expected Results:  
to bring down emerge should not be made that easy


!!! Emerge seems to test if sandboxpids.tmp is a regular file only. If it is
!!! hard link to existing file, existing file is empty when emerge is done.
!!! Very dangerous.

Comment 1 Jon Portnoy (RETIRED) gentoo-dev

2004-04-03 12:57:55 UTC

This is pretty major -- a newsgroup poster just pointed this one out. Any Gentoo system can trivially be damaged extremely badly with this one, as far as I can tell.

Comment 2 Jon Portnoy (RETIRED) gentoo-dev

2004-04-03 19:48:13 UTC


*** This bug has been marked as a duplicate of 21923 ***