Mikko Rapeli wrote: > On Thu, Dec 01, 2005 at 03:32:45AM +0200, Mikko Rapeli wrote: > > fakeroot combined with dpkg-source uses original source package permissions. > > If the original source has insecure permissions on files and/or directories > > dpkg-source -x should override them with umask, but: > > <snip> > > What I ment to copy-paste here at 3:30 in the morning was: > > $ fakeroot /bin/sh > sh-2.05b# ls -ld rssh-* > ls: rssh-*: No such file or directory > sh-2.05b# dpkg-source -x rssh_2.2.3-1.dsc > dpkg-source: extracting rssh in rssh-2.2.3 > sh-2.05b# ls -ld rssh-* > drwxrwxrwx 3 500 500 4096 Dec 1 12:29 rssh-2.2.3 > sh-2.05b# umask > 0077
Thanks for your report, but I'd rather consider this a if-use-user-wants-to-shoot-in-both-feet-they-should error. Why would anybody would want to run dpkg-source inside a fakerooted shell? You can't exploit root or another user, but only leave an exploit for your own directory. I'd still consider it a bug, though, and it should be fixed in sid. Regards, Joey -- It's time to close the windows. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]