Bug 58306 - rpm 4.0.3-6x rebuilddb resets db uids / gids
rpm 4.0.3-6x rebuilddb resets db uids / gids
Status: CLOSED DEFERRED
Product: Red Hat Linux
Classification: Retired
Component: rpm (Show other bugs)
7.2
All Linux
medium Severity low
: ---
: ---
Assigned To: Jeff Johnson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-01-13 17:45 EST by Ned Ulbricht
Modified: 2008-05-01 11:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-01-14 13:09:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ned Ulbricht 2002-01-13 17:45:12 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.19-kim.1 i486)

Description of problem:
The rpm-4.0.3-6x postinstall scriptlet executes
'/bin/chown rpm.rpm /var/lib/rpm/[A-Z]*'

But a subsequent 'rpm --rebuilddb' (executed in a root shell) resets
/var/lib/rpm/[A-Z]* to root.root.



Version-Release number of selected component (if applicable):
rpm-4.0.3-6x.i386.rpm

How reproducible:
Didn't try

Steps to Reproduce:
(previously using db3 rpm db from rpm-4.0.2-6x)
]# rpm -Uvh rpm*.i386.rpm popt-1.6.3-6x.i386.rpm 
(snip -- upgrade ok)         
# ls -l /var/lib/rpm
total 11476
-rw-r--r--    1 rpm      rpm       2629632 Jan 13 01:33 Basenames
-rw-r--r--    1 rpm      rpm         12288 Jan 13 01:32 Conflictname
-rw-r--r--    1 rpm      rpm         12288 Jan 13 01:33 Group
-rw-r--r--    1 rpm      rpm         24576 Jan 13 01:33 Name
-rw-r--r--    1 rpm      rpm       9392128 Jan 13 01:33 Packages
-rw-r--r--    1 rpm      rpm         90112 Jan 13 01:33 Providename
-rw-r--r--    1 rpm      rpm         98304 Jan 13 01:33 Requirename
-rw-r--r--    1 rpm      rpm         12288 Jan 13 01:15 Triggername
[# rpm --rebuilddb
[# ls -l /var/lib/rpm
total 11856
-rw-r--r--    1 root     root      2646016 Jan 13 01:47 Basenames
-rw-r--r--    1 root     root        12288 Jan 13 01:46 Conflictname
-rw-r--r--    1 root     root       311296 Jan 13 01:47 Dirnames
-rw-r--r--    1 root     root        12288 Jan 13 01:47 Group
-rw-r--r--    1 root     root         8192 Jan 13 01:47 Installtid
-rw-r--r--    1 root     root        24576 Jan 13 01:47 Name
-rw-r--r--    1 root     root      9388032 Jan 13 01:47 Packages
-rw-r--r--    1 root     root        86016 Jan 13 01:47 Providename
-rw-r--r--    1 root     root        28672 Jan 13 01:47 Provideversion
-rw-r--r--    1 root     root        98304 Jan 13 01:47 Requirename
-rw-r--r--    1 root     root        40960 Jan 13 01:47 Requireversion
-rw-r--r--    1 root     root        12288 Jan 13 01:46 Triggername


Additional info:

The CHANGES file documents only
4.0.2 -> 4.0.3:
   - database has rpm.rpm g+w permissions to share db3 mutexes.

But none of the database files, nor the db directory have g+w permissions
$ ls -ld /var/lib/rpm
drwxr-xr-x    2 rpm      rpm          4096 Jan 13 04:07 /var/lib/rpm/

At the very least there is a documentation error here.  

And really, a change in the security framework needs to be explained to 
administrators just a little bit more in depth than with a one-line cryptic
entry 
in a changelog.  (I'd add a ;) but I'm not kidding).

Is it the intention to limit the damage that a run-away database update can do? 
Or is the intention to allow db mutexes to be set by non-privileged users?
Comment 1 R P Herrold 2002-01-14 13:09:53 EST
over-reaction on my part ... re-clasify status -- see rpm-list archives today 
for explanation
Comment 2 Jeff Johnson 2002-02-05 12:52:41 EST
Yes, the uid/gid are reset with --rebuilddb in rpm-4.0.4 and
earlier. The fix will be to put a setgid helper into rpm, which
will happen when it happens. For the moment, owner rpm.rpm
is exactly equivalent (for security audit purposes) to root.root,
adequate for now.

Note You need to log in before you can comment on or make changes to this bug.