[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: www/serf install permissions fix
> Anyway, here's what I know:
Of course the primary culprit is the uptream tar, which we can't fix.
> The install logic of the package's source distribution preserves the
> file mode of some of the extracted files that are not built (e.g.,
> header files) when it installs them.
That seems wrong and ought to be fixed.
> I submitted a patch to correct the file permissions post install.
Which leaves a window to modify them.
> It was noted that preserving group- and world-writable file mode bits
> on extraction is a security issue as things are right now in pkgsrc
> because an unprivileged user could modify those files.
Yes. I suggested extracting to a non-searchable subdir (.extract?) of WRKDIR.
Then chmod -R go-w that dir and move or symlink all non-dot entries back to
This would also guard against upstream archives containing, e.g., .tools.
> I submitted a patch to change the EXTRACT_USING default on Darwin from
> nbtar to pax.
As it looks like both the standard is unclear on the correct behaviour and
the existing tool's actual behaviours vary, I don't think this is the right
fix. What if Mac-OS:10.42 (or whatever they like to spell it then) ships with
a pax that behaves different again?
Main Index |
Thread Index |