Bug 200351 - SRPM spec file installed 0666
SRPM spec file installed 0666
Product: Fedora
Classification: Fedora
Component: perl-File-chdir (Show other bugs)
noarch Linux
medium Severity high
: ---
: ---
Assigned To: Ian Burrell
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2006-07-26 22:39 EDT by Stan Bubrouski
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-07-26 22:59:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stan Bubrouski 2006-07-26 22:39:28 EDT
After installing the SRPM for this package I noticed:
[stan@duergar ~]$ ls -l /usr/src/redhat/SPECS/perl-File-chdir.spec
-rw-rw-rw- 1 root root 1485 Jun 29 01:49 /usr/src/redhat/SPECS/perl-File-chdir.spec

Security risk, enough said.
Comment 1 Stan Bubrouski 2006-07-26 22:42:21 EDT
[stan@duergar ~]$ ls -l /usr/src/redhat/SOURCES/File-chdir-0.06.tar.gz
-rw-rw-rw- 1 root root 22393 Jun 29 01:49
Comment 2 Ian Burrell 2006-07-26 22:59:56 EDT
The mock build system makes all files in the SRPMS writable.  The files have
normal permissions in CVS.  They are checked out as 0664 on my machine, included
like that in I build locally.  Also, installing the SRPMS on my machine as my
user uses my umask.  They only end up world-writable when installed by root.  

I have no control on the permissions that the build system uses.  This problem
effects all the SRPMS in Extras.  I would suggest not installing and building
SRPMS as root.  To get this fixed, you will need to:

1) Complain to mock maintainers to change the permissions in the SRPMS.
2) Complain to rpm maintainers to not install files with world-writable
permissions and obey the umask as root.
Comment 3 Stan Bubrouski 2006-07-26 23:11:41 EDT
Bleh.  I have my own little perl-based build system which uses builder
user/group for building.  But on occasion when I'm su'ed to root I build
packages when I'm fooling around.

This whole thing kinda stinks, I'll file a mock bug.  Sorry to bother you.

Note You need to log in before you can comment on or make changes to this bug.