A SUSE bug report [1] noted a problem with how fdupes is used in the %fdupes RPM macro. When there are two files with identical content that differs in owner/group/permissions, the %fdupes macro overwrites one of the files with a link that effectively gives both files the same owner/group/permissions. If one of the files has tighter permissions than the other, this could result in one of the files having more relaxed permissions than appropriate. It looks as though our implementation of %fdupes is taken from SUSE's, so we would be susceptible to the same issues. Suggested means of resolving this are to test for equality of owner/group/permissions before duping a file. It might also be prudent to set some areas as "off limits", such as files in /etc/ or other locations that may contain user-changed configuration files. [1] https://bugzilla.novell.com/show_bug.cgi?id=784670
Created fdupes tracking bugs for this issue Affects: fedora-all [bug 865592]
Looks like the Suse guys have found a solution. I'll be implementing it as soon as I have a chance.
This has been corrected in Fedora 17, 18, and 19 with the update to fdupes-1.51-1.