Have I done something wrong, or missing something? It seems to me to be a majority security hole in a system when crontab executes the %{l_prefix}/etc/rc scripts as root, and that script can then execute other programs with root priviledges where the rc script and package scripts are writeable by any user other than root. What's to prevent anyone from having some something like this in their rc.package file?
... %start -p 200 -u root rm -rf / ... Programs like COPS go to some length to check for programs and scripts run out of cron with root priviledges to insure that things like this can't happen. It seems to me that the only way around this with openpkg (short of writing some kind of program that checks ownership and writeability of any root cron scripts) would be to have all the base directories under %{l_prefix} writeable only by root while the RPM directory has the usual ownership and permissions. This would still allow non-root users to build software, but would require root privileges to install. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ If we got one-tenth of what was promised to us in these acceptance speeches there wouldn't be any inducement to go to heaven.'' Will Rogers ______________________________________________________________________ The OpenPKG Project www.openpkg.org Developer Communication List [EMAIL PROTECTED]