Bug#248122: Please run wget as user nobody

2017-08-02 Thread René Wagner 

Hi Thijs,

I'm sorry to resurrect this from the dead. I came across this bug 
looking for something completely different...


On Fri, 15 Dec 2006 14:05:00 +0100 (CET) "Thijs Kinkhorst" 
 wrote:

I've seen the discussion in this bug, and I wonder whether it makes sense
to actually go the way to drop these privileges. A user running apt-get
update or apt-get upgrade is already performing many HTTP requests and
downloading numerous files from relatively untrusted sources (they are
verified after downloading), as root.

Would it make sense to change msttcorefonts for this while an admin will
already be doing this with APT?


APT uses its own much smaller special-purpose HTTP implementation. It 
also spawns a sub-process just for the HTTP method which I think used to 
run as an unprivileged user. On a jessie system the latter doesn't 
currently happen any more but that would be a bug in APT.


As for msttcorefonts, a straightforward approach would be to have wget 
output to stdout and avoid file system access by wget altogether:


# su - wgetuser -c "wget -O - $url/$file" > ./$file

I haven't tested it but this should run wget as wgetuser yet write to 
./$file as root while the destination path is controlled by the shell 
not wget.


Cheers,

Rene

Bug#248122: Please run wget as user nobody

2006-12-15 Thread Thijs Kinkhorst 
Hi,

 Unless I've missed it, there's no privlege dropping, and I'd like wget
 to run as a normal user (specifically: nobody).  This should be easily
 implemented, as the script is just writing to /tmp/.

I've seen the discussion in this bug, and I wonder whether it makes sense
to actually go the way to drop these privileges. A user running apt-get
update or apt-get upgrade is already performing many HTTP requests and
downloading numerous files from relatively untrusted sources (they are
verified after downloading), as root.

Would it make sense to change msttcorefonts for this while an admin will
already be doing this with APT?


Thijs

Bug#248122: Please run wget as user nobody

2006-10-12 Thread Thijs Kinkhorst 
Hi Justin,

 Can I expect to see this bug fixed for etch?
 
 http://bugs.debian.org/248122

No, I'm sorry it's too late for that in the release cycle now. I've only
just taken over the package and I'll make any non-trivial fixes only
after etch's release.


Thijs


signature.asc
Description: This is a digitally signed message part

Bug#248122: Please run wget as user nobody

2006-03-01 Thread Justin Pryzby 
Can I expect to see this bug fixed for etch?

http://bugs.debian.org/248122

Justin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]