Mikko Rapeli wrote:
> On Thu, Dec 01, 2005 at 03:32:45AM +0200, Mikko Rapeli wrote:
> > fakeroot combined with dpkg-source uses original source package permissions.
> > If the original source has insecure permissions on files and/or directories
> > dpkg-source -x should override them with umask, but:
>
> <snip>
>
> What I ment to copy-paste here at 3:30 in the morning was:
>
> $ fakeroot /bin/sh
> sh-2.05b# ls -ld rssh-*
> ls: rssh-*: No such file or directory
> sh-2.05b# dpkg-source -x rssh_2.2.3-1.dsc
> dpkg-source: extracting rssh in rssh-2.2.3
> sh-2.05b# ls -ld rssh-*
> drwxrwxrwx 3 500 500 4096 Dec 1 12:29 rssh-2.2.3
> sh-2.05b# umask
> 0077
Thanks for your report, but I'd rather consider this a
if-use-user-wants-to-shoot-in-both-feet-they-should error. Why would
anybody would want to run dpkg-source inside a fakerooted shell?
You can't exploit root or another user, but only leave an exploit
for your own directory.
I'd still consider it a bug, though, and it should be fixed in sid.
Regards,
Joey
--
It's time to close the windows.
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
