Red Hat Bugzilla – Bug 145373
RPM saves $file.rpmsave in incorrect mode
Last modified: 2007-11-30 17:07:06 EST
Description of problem: I removed the netdump-server package, but since I had changed the /var/crash/.ssh/authorized_keys2 file, it saved it as a .rpmsave file. This is good... but it saved it of mode 0644... not of the same mode that the config file was from. This seems to be a minor security hole: [root@jjensen-lnx root]# cd /var/crash/.ssh/ [root@jjensen-lnx .ssh]# ls -l total 8 -rw------- 1 netdump netdump 616 Jan 17 15:32 authorized_keys2 -rw------- 1 root root 616 Jan 17 15:28 authorized_keys2.premade-rw-r--r-- 1 root root 0 Version-Release number of selected component (if applicable): FC3, all updates
ping!!!
I checked the code we do rename() for this so I can't see how you can possibly get this. Can't reproduce using below test on RHEL 3, RHEL 4 or rawhide. Please reopen if you come up with a clear reproducer: 1) Install netdump ls -l -rw------- 1 netdump netdump 0 Apr 6 11:51 authorized_k 2) cat /root/.ssh/id_dsa.pub >> /var/crash/.ssh/authorized_keys eys2 ls -l -rw------- 1 netdump netdump 606 Jul 14 13:54 authorized_key 3) Verify and then erase rpm -V netdump-server S.5....T c /var/crash/.ssh/authorized_keys2 rpm -e netdump-server warning: /var/crash/.ssh/authorized_keys2 saved as /var/crash/.ssh/authorized_keys2.rpmsave 4) Check rpmsave ls -l /var/crash/.ssh/authorized_keys2.rpmsave -rw------- 1 netdump netdump 606 Jul 14 13:54 /var/crash/.ssh/authorized_keys2.rpmsave
*** Bug 160259 has been marked as a duplicate of this bug. ***