Bug 62938 - rpm -qa works for non root user
Summary: rpm -qa works for non root user
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: rpm
Version: 7.2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-04-08 04:36 UTC by Need Real Name
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2002-04-08 04:36:57 UTC
Embargoed:

Attachments (Terms of Use)

Description Need Real Name 2002-04-08 04:36:53 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)

Description of problem:
upgrade to RPM version 4.0.4 now allows non root user to perform an rpm -qa

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
user@localhost
0 ~ $ id
uid=500(user) gid=500(user) groups=500(user)

user@localhost
0 ~ $ which rpm
/bin/rpm

user@localhost
0 ~ $ ls -al /bin/rpm
-rwxr-xr-x    1 rpm      rpm       1737960 Feb 16 02:31 /bin/rpm
user@localhost

1 ~ $ rpm -v
RPM version 4.0.4
Copyright (C) 1998-2000 - Red Hat, Inc.
This program may be freely redistributed under the terms of the GNU GPL

Usage: rpm {--help}
       rpm {--version}

user@localhost
0 ~ $ rpm -qa
filesystem-2.1.6-2
bzip2-libs-1.0.1-4
cracklib-2.7-12
db2-2.4.14-7
gdbm-1.8.0-10
hdparm-4.1-2
mktemp-1.5-11
parted-1.4.16-8
<etc...>

Actual Results:  installed rpm list is returned.

Expected Results:  error: cannot open Packages index using db3 - Permission 
denied (13)
 (or equivalent)

Additional info:
Comment 1 Jeff Johnson 2002-04-08 18:40:21 UTC 
rpm has always permitted non-root readonly database
opens with rpm -qa.

If you *really* want to prohibit non-root queries,
then do
	chmod go-r /var/lib/rpm/*
Note You need to log in before you can comment on or make changes to this bug.