Re: Improving security for pkgsrc

To: Pierre Pronchery <khorben%defora.org@localhost>
Subject: Re: Improving security for pkgsrc
From: Greg Troxel <gdt%ir.bbn.com@localhost>
Date: Mon, 03 Aug 2015 08:31:55 -0400

Pierre Pronchery <khorben%defora.org@localhost> writes:

> On 07/30/15 10:26, Thomas Klausner wrote:

>> The whole patch looks like it will only work when you do 'make
>> install', but not with pkg_add. You will need INSTALL script fragments
>> for that.
>
> I have tried both "make install" and "make package", and it worked in
> both cases. Please correct me if I am wrong, but it seems that even if
> destdir is not supported, the framework always installs files from the
> staging area in ${WRKSRC}/${DESTDIR}. The executables are marked by
> paxctl(8) permanently there. This is unlike chmod(1) for instance, which
> does not modify the original file.

In general, is the notion that paxctl changes the actual binary, and
there is no state anywhere else?

Did you build a binary package, copy it to a different machine, and run
it there?  I think that should work, but it's an obvious test to do.

If destdir is not supported (which is getting to be a more and more
unusual case), then the files are installed from WRKDIR into PREFIX.

Follow-Ups:
- Re: Improving security for pkgsrc
  - From: Pierre Pronchery

References:
- Improving security for pkgsrc
  - From: Pierre Pronchery
- Re: Improving security for pkgsrc
  - From: Pierre Pronchery
- Re: Improving security for pkgsrc
  - From: Thomas Klausner
- Re: Improving security for pkgsrc
  - From: Pierre Pronchery

Prev by Date: daily pkgsrc CVS update output
Next by Date: Re: Improving security for pkgsrc
Previous by Thread: Re: Improving security for pkgsrc
Next by Thread: Re: Improving security for pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index