In article <[EMAIL PROTECTED]> you wrote:
> Have I done something wrong, or missing something? It seems to me to be a > majority security hole in a system when crontab executes the > %{l_prefix}/etc/rc scripts as root, and that script can then execute other > programs with root priviledges where the rc script and package scripts are > writeable by any user other than root. What's to prevent anyone from > having some something like this in their rc.package file? > > ... > %start -p 200 -u root > rm -rf / > ... > > Programs like COPS go to some length to check for programs and scripts run > out of cron with root priviledges to insure that things like this can't > happen. > > It seems to me that the only way around this with openpkg (short of writing > some kind of program that checks ownership and writeability of any root > cron scripts) would be to have all the base directories under %{l_prefix} > writeable only by root while the RPM directory has the usual ownership and > permissions. > > This would still allow non-root users to build software, but would require > root privileges to install. The general issue with the four user/group ids in OpenPKG I've now tried to document at http://www.openpkg.org/faq.html#uid-security The situation you mention is correct: someone with management user/group (owner of your OpenPKG instance you specified with --user/--group) access can reach super user/group access through manipulations of rc files. But this is similar to the situation of "bin" and "root" in your Unix system. Because even if the rc files and the rc script itself is owned and writeable only by "root", this still does not change any security here. Because the scripts theirself execute files in your OpenPKG instance and those are owned by the managment user/group ids, too. Same for your Unix system: if someone is able to reach "bin" he just needs to change some system commands and wait for the next system cronjob or system reboot. So, you _HAVE_ to treat the OpenPKG management user/group equal to "root" when it comes to security. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com ______________________________________________________________________ The OpenPKG Project www.openpkg.org Developer Communication List [EMAIL PROTECTED]