Re: Improving security for pkgsrc

To: tech-pkg%netbsd.org@localhost
Subject: Re: Improving security for pkgsrc
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Mon, 3 Aug 2015 01:12:09 +0200

			Hi,

On 07/30/15 10:26, Thomas Klausner wrote:
> On Thu, Jul 30, 2015 at 02:04:34AM +0200, Pierre Pronchery wrote:
>> As before, I will welcome your feedback while trying to get this
>> integrated.
> 
> The whole patch looks like it will only work when you do 'make
> install', but not with pkg_add. You will need INSTALL script fragments
> for that.

I have tried both "make install" and "make package", and it worked in
both cases. Please correct me if I am wrong, but it seems that even if
destdir is not supported, the framework always installs files from the
staging area in ${WRKSRC}/${DESTDIR}. The executables are marked by
paxctl(8) permanently there. This is unlike chmod(1) for instance, which
does not modify the original file.

Reading the manual page for paxctl(8), it mentions that marking
executables should "be done using fileassoc(9) in the future" - which
would then behave like chmod(1) does. We are not yet there though, at
least on NetBSD. I do not know about other platforms in this regard.

Cheers,
-- 
khorben

Follow-Ups:
- Re: Improving security for pkgsrc
  - From: Greg Troxel

References:
- Improving security for pkgsrc
  - From: Pierre Pronchery
- Re: Improving security for pkgsrc
  - From: Pierre Pronchery
- Re: Improving security for pkgsrc
  - From: Thomas Klausner

Prev by Date: daily pkgsrc CVS update output
Next by Date: Re: Improving security for pkgsrc
Previous by Thread: Re: Improving security for pkgsrc
Next by Thread: Re: Improving security for pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index