Bug 200351 - SRPM spec file installed 0666
Summary: SRPM spec file installed 0666
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: perl-File-chdir
Version: 5
Hardware: noarch
OS: Linux
medium
high
Target Milestone: ---
Assignee: Ian Burrell
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-07-27 02:39 UTC by Stan Bubrouski
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2006-07-27 02:59:56 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Stan Bubrouski 2006-07-27 02:39:28 UTC
After installing the SRPM for this package I noticed:
[stan@duergar ~]$ ls -l /usr/src/redhat/SPECS/perl-File-chdir.spec
-rw-rw-rw- 1 root root 1485 Jun 29 01:49 /usr/src/redhat/SPECS/perl-File-chdir.spec

Security risk, enough said.

Comment 1 Stan Bubrouski 2006-07-27 02:42:21 UTC
Also:
[stan@duergar ~]$ ls -l /usr/src/redhat/SOURCES/File-chdir-0.06.tar.gz
-rw-rw-rw- 1 root root 22393 Jun 29 01:49
/usr/src/redhat/SOURCES/File-chdir-0.06.tar.gz


Comment 2 Ian Burrell 2006-07-27 02:59:56 UTC
The mock build system makes all files in the SRPMS writable.  The files have
normal permissions in CVS.  They are checked out as 0664 on my machine, included
like that in I build locally.  Also, installing the SRPMS on my machine as my
user uses my umask.  They only end up world-writable when installed by root.  

I have no control on the permissions that the build system uses.  This problem
effects all the SRPMS in Extras.  I would suggest not installing and building
SRPMS as root.  To get this fixed, you will need to:

1) Complain to mock maintainers to change the permissions in the SRPMS.
2) Complain to rpm maintainers to not install files with world-writable
permissions and obey the umask as root.


Comment 3 Stan Bubrouski 2006-07-27 03:11:41 UTC
Bleh.  I have my own little perl-based build system which uses builder
user/group for building.  But on occasion when I'm su'ed to root I build
packages when I'm fooling around.

This whole thing kinda stinks, I'll file a mock bug.  Sorry to bother you.


Note You need to log in before you can comment on or make changes to this bug.