Bug 200351

Summary: SRPM spec file installed 0666
Product: [Fedora] Fedora Reporter: Stan Bubrouski <stan.bubrouski>
Component: perl-File-chdirAssignee: Ian Burrell <ianburrell>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: 5CC: extras-qa
Target Milestone: ---   
Target Release: ---   
Hardware: noarch   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-07-27 02:59:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stan Bubrouski 2006-07-27 02:39:28 UTC 
After installing the SRPM for this package I noticed:
[stan@duergar ~]$ ls -l /usr/src/redhat/SPECS/perl-File-chdir.spec
-rw-rw-rw- 1 root root 1485 Jun 29 01:49 /usr/src/redhat/SPECS/perl-File-chdir.spec

Security risk, enough said.
Comment 1 Stan Bubrouski 2006-07-27 02:42:21 UTC 
Also:
[stan@duergar ~]$ ls -l /usr/src/redhat/SOURCES/File-chdir-0.06.tar.gz
-rw-rw-rw- 1 root root 22393 Jun 29 01:49
/usr/src/redhat/SOURCES/File-chdir-0.06.tar.gz
Comment 2 Ian Burrell 2006-07-27 02:59:56 UTC 
The mock build system makes all files in the SRPMS writable.  The files have
normal permissions in CVS.  They are checked out as 0664 on my machine, included
like that in I build locally.  Also, installing the SRPMS on my machine as my
user uses my umask.  They only end up world-writable when installed by root.  

I have no control on the permissions that the build system uses.  This problem
effects all the SRPMS in Extras.  I would suggest not installing and building
SRPMS as root.  To get this fixed, you will need to:

1) Complain to mock maintainers to change the permissions in the SRPMS.
2) Complain to rpm maintainers to not install files with world-writable
permissions and obey the umask as root.
Comment 3 Stan Bubrouski 2006-07-27 03:11:41 UTC 
Bleh.  I have my own little perl-based build system which uses builder
user/group for building.  But on occasion when I'm su'ed to root I build
packages when I'm fooling around.

This whole thing kinda stinks, I'll file a mock bug.  Sorry to bother you.