Bug 11247
Summary: | RPM and upgrade errors | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Robert Thomas <thoma041> |
Component: | rpm | Assignee: | Jeff Johnson <jbj> |
Status: | CLOSED DUPLICATE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.2 | CC: | unix-support |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2001-05-03 15:52:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robert Thomas
2000-05-05 17:16:15 UTC
Um, rpm is totally unprepared to deal with chattr (or even rdonly) file systems. Until chattr is more widely (and consistently) used, I see little need to teach rpm about chattr. For now, just "Don't do that!". I feel that this is unfortunate. I have been teaching a LOT of people to use the immutable bit on critical files and directories and it has saved a number of systems from being broken into in the past (sometimes by crackers, sometimes by a manager who gained access to a console logged in as root). I guess I really feel that it isn't reasonable for RPM to continue doing its thing without telling anyone of any errors or warnings and later going 'doh because it failed or partially failed (totally failing seems easier to deal with than partially failing). Believe me, after doing this once, the second time you do it to yourself, you sort of feel like the Coyote (oh no!). -Robert The feature request for rpm is not discarded, only deferred. Before chattr, the rdonly file system problems need to be resolved, and before that a less naive scheme than the current netsharedpath mechanism needs to be devised. FWIW, part of teaching people to use chattr involves explaining how the use of chattr affects other programs like rpm, etc ... This is significantly more serious than the current bug report gives credit. We recently found a machine with chattr +i on /bin/login and a few other files. In particular this meant that when upgraded it silently failed up upgrade these packages, although there was a note on one of the virtual consoles. This was in relation to a hacking incident - it meant that if the machine that had been hacked had been upgraded then the back door that the hacker placed there would have survived. This _has_ to be an issue, since traditionally an upgrade would be considered a safe way of removing problems with a compromised machine. If nothing else the installation should come up with big red flags complaining that it cannot upgrade a package. Julian (unix-support.ac.uk) |