tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: www/serf install permissions fix



> Anyway, here's what I know:
Of course the primary culprit is the uptream tar, which we can't fix.

> The install logic of the package's source distribution preserves the 
> file mode of some of the extracted files that are not built (e.g., 
> header files) when it installs them.
That seems wrong and ought to be fixed.

> I submitted a patch to correct the file permissions post install.
Which leaves a window to modify them.

> It was noted that preserving group- and world-writable file mode bits
> on extraction is a security issue as things are right now in pkgsrc
> because an unprivileged user could modify those files.
Yes. I suggested extracting to a non-searchable subdir (.extract?) of WRKDIR.
Then chmod -R go-w that dir and move or symlink all non-dot entries back to 
WRKDIR.
This would also guard against upstream archives containing, e.g., .tools.

> I submitted a patch to change the EXTRACT_USING default on Darwin from
> nbtar to pax.
As it looks like both the standard is unclear on the correct behaviour and
the existing tool's actual behaviours vary, I don't think this is the right
fix. What if Mac-OS:10.42 (or whatever they like to spell it then) ships with 
a pax that behaves different again?


Home | Main Index | Thread Index | Old Index