Bug 135291
| Summary: | kernel SRPM %build uses hardcoded /tmp | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | D. Hugh Redelmeier <hugh> |
| Component: | kernel | Assignee: | Rik van Riel <riel> |
| Status: | CLOSED RAWHIDE | QA Contact: | Brian Brock <bbrock> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3 | CC: | davej, hugh, pri.rhl1, wtogami |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-03-15 15:36:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 123268, 136451 | ||
I'll look into it, since I'm the one messing up the rawhide kernel spec file the most often anyway (and davej is busy with production kernels). This seems to have been fixed in rawhide, while I was looking the other way:
#
# Create gpg keys for signing the modules
#
gpg --homedir . --batch --gen-key %{SOURCE11}
gpg --homedir . --export --keyring ./kernel.pub Red > extract.pub
|
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10 Description of problem: In kernel-2.6.8-1.603.src.rpm (and probably others), in kernel-2.6.spec, in %build: gpg --homedir /tmp --batch --gen-key %{SOURCE11} gpg --homedir /tmp --export --keyring ./kernel.pub Red > extract.pub The hardcoded /tmp seems like a bad idea: - It causes separate users on the system to interfere with each other. For example, I built as root, then could not build as myself because these files existed and were owned by root. - It introduces a security issue: the paths are predictable and so an adversary could plant symlinks or whatever. Doubly so considering that we are dealing with keying material. - These files don't seem to be deleted. It is hard to know what files should be deleted since they are mixed in with everything else in /tmp. I don't know enough to suggest the best alternative. A workable one might be: KT=%{_builddir}/keytmp rm -rf $KT mkdir $KT chmod go-rwx $KT gpg --homedir $KT --batch --gen-key %{SOURCE11} gpg --homedir $KT --export --keyring ./kernel.pub Red > extract.pub rm -rf $KT Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. as root: build kernel from SRPM 2. as an ordinary user: build kernel from SRPM 3. Actual Results: gpg: can't open `/tmp/random_seed': Permission denied Expected Results: build works Additional info: Technically, this is a security issue.