tech-pkg: Re: PR 6009 (pkg_add fails if PREFIX is a symbolic link)

Subject: Re: PR 6009 (pkg_add fails if PREFIX is a symbolic link)
To: Hubert Feyrer <feyrer@rfhs8012.fh-regensburg.de>
From: Jim Bernard <jbernard@ox.mines.edu>
List: tech-pkg
Date: 08/24/1998 08:52:32

On 130 0, Hubert Feyrer wrote:
> 
> On Mon, 24 Aug 1998, Jim Bernard wrote:
> >   Yes, it's surely sufficient, but doesn't address the security risk involved
> > in following possibly unsafe links.  Since the program will almost universally
> > be used by root (and, possibly, but rarely, by regular users installing into
> > their own personal package trees), I don't think the restrictions are too
> > onerous.
> 
> Well, in directories that are writable by users, i see this problem. But
> as /usr isn't writeable, I don't think this makes too much sense.

  Well, if you can guarantee that PREFIX will always be set to something in
/usr, and that none of the subdirectories in the path will ever have "other"
write permission, and that this will be true on all NetBSD installations,
then, it certainly is wasted effort to put that in (though the performance
cost is negligible, and the effort has already been made, so we're not talking
about asking anyone to go to any additional trouble).  Are you confident that
that will be true?

> >   It is surely true that there are other places in the package system where
> > similar problems occur, and I didn't address those.  This one is the most
> > bothersome, and with the islinktodir() function, it should be easier to
> > address those other places as they are found.  But, I don't think that a
> > blanket replacement of all calls to isdir() by islinktodir() (or a change
> > from lstat to stat in isdir()) is appropriate--most likely there are places
> > where it's really appropriate to check for an actual directory (though I
> > haven't tried very hard to prove that there are such cases).
> 
> At least for the lstat->stat change, this is a big no-no, as this will
> lead to no symlinks any more in binary pkgs. We've been through all this
> before, and to completely fix things, one needs to read all the source and
> decide for each individual call.

  Ah--I hadn't realized that problem would occur.  So, perhaps it _is_ best
to use a separate function such as islinktodir(), but, if you decide the
one I suggested is too paranoid, somewhat simplified.

  Thanks for the comments.