Have I done something wrong, or missing something? It seems to me to be a
majority security hole in a system when crontab executes the
%{l_prefix}/etc/rc scripts as root, and that script can then execute other
programs with root priviledges where the rc script and package scripts are
writeable by any user other than root. What's to prevent anyone from
having some something like this in their rc.package file?
...
%start -p 200 -u root
rm -rf /
...
Programs like COPS go to some length to check for programs and scripts run
out of cron with root priviledges to insure that things like this can't
happen.
It seems to me that the only way around this with openpkg (short of writing
some kind of program that checks ownership and writeability of any root
cron scripts) would be to have all the base directories under %{l_prefix}
writeable only by root while the RPM directory has the usual ownership and
permissions.
This would still allow non-root users to build software, but would require
root privileges to install.
Bill
--
INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC
UUCP: camco!bill PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/
If we got one-tenth of what was promised to us in these acceptance
speeches there wouldn't be any inducement to go to heaven.''
Will Rogers
______________________________________________________________________
The OpenPKG Project www.openpkg.org
Developer Communication List [EMAIL PROTECTED]
