Red Hat Bugzilla – Bug 200351
SRPM spec file installed 0666
Last modified: 2007-11-30 17:11:38 EST
After installing the SRPM for this package I noticed: [stan@duergar ~]$ ls -l /usr/src/redhat/SPECS/perl-File-chdir.spec -rw-rw-rw- 1 root root 1485 Jun 29 01:49 /usr/src/redhat/SPECS/perl-File-chdir.spec Security risk, enough said.
Also: [stan@duergar ~]$ ls -l /usr/src/redhat/SOURCES/File-chdir-0.06.tar.gz -rw-rw-rw- 1 root root 22393 Jun 29 01:49 /usr/src/redhat/SOURCES/File-chdir-0.06.tar.gz
The mock build system makes all files in the SRPMS writable. The files have normal permissions in CVS. They are checked out as 0664 on my machine, included like that in I build locally. Also, installing the SRPMS on my machine as my user uses my umask. They only end up world-writable when installed by root. I have no control on the permissions that the build system uses. This problem effects all the SRPMS in Extras. I would suggest not installing and building SRPMS as root. To get this fixed, you will need to: 1) Complain to mock maintainers to change the permissions in the SRPMS. 2) Complain to rpm maintainers to not install files with world-writable permissions and obey the umask as root.
Bleh. I have my own little perl-based build system which uses builder user/group for building. But on occasion when I'm su'ed to root I build packages when I'm fooling around. This whole thing kinda stinks, I'll file a mock bug. Sorry to bother you.