On Sat, Dec 23, 2006, Javier Fernández-Sanguino Peña wrote: > > First, /var/tmp/mach itself is currently shipped in the package (.deb) > > itself; it serves as the base directory to copy over RPM files. > Copy over RPM files from where?
mach can be used to 1) create chroots and 2) build RPM packages in this chroot; I'm referring to the second use case in which /var/tmp/mach serves as a directory to copy over SRPMs and .spec files. > > When you create a chroot to e.g. build packages, you invoke: > > mach -r centos-4-i386-os setup base > What does that do? Does it modify /var/tmp/mach in any way? It creates a chroot, I don't think it uses /var/tmp/mach at any point, but this is a pre-requisite to create an environment to use /var/tmp/mach. > > Only users in the mach group may run the "mach-helper" SUID root > > helper which can do the chroot() syscall or run package management > > tools in the chroot (such as yum). > What does that one do? Does it modify /var/tmp/mach in any way?? mach-helper serves vraious functions to mach which require root privileges. For example, it can run the host's RPM to run for a chroot, run a program in a chroot, run the host's yum or createrepo commands for a chroot. I mention it because it is SUID root, and might hence perhaps be misused to gain root permissions. I don't think it uses /var/tmp/mach itself. > > The configs of the chroot are stored in /var/lib/mach/states, the > > packages to create the chroot are downloaded into /var/cache/mach/, and > > the chroot itself is under /var/lib/mach/roots. > > > > Once the chroot is created, you can build packages with a spec file: > > mach -r centos-4-i386-os build libX11.spec > > this will install the necessary packages and build-deps in the chroot > > and copy the source package into the chroot. This is what happens for > > example in: > > > > /var/tmp/mach/tmp/centos-4-i386-os/libX11-1.0.3-6.centos4/libX11-1.0.3-6.centos4.src.rpm > > (here centos-4-i386-os is the chroot name and libX11-1.0.3-6 the source > > package) > > I don't understand what really happens here. You say that the packages are > downloaded into /var/cache/mach/ but then you say that the source package > resides in /var/tmp/mach/tmp/ ? The packages to setup the official RPM packages which are useful to setup the chroot or to install additional software (such as build tools) are downloaded in /var/cache/mach, but the SRPMs that mach is *building* are copied into /var/tmp/mach. > > And mach will also copy the spec file to hand to rpmbuild into: > > /var/tmp/mach/centos-4-i386-os/libX11-1.0.3-6.centos4/libX11.spec > so the /var/tmp/mach/ path is used to build packages with a spec file? Correct. > If so, it's trivial for a user who has created /var/tmp/mach (no need to have > it have any special permissions, since the users that use this work as root) > to monitor (through the process list) when a user tries to run 'mach -r XXX > build package.spec' and just create the needed directories > /var/tmp/mach/XXXX/<package_name>/ (package_name is derived from the .spec > file I guess) and then have <package>.src.rpm or <packagename>.spec simlink > to a file under /etc/. Depending on how mach moves the files over there this > would hose the full system (not just DoS mach, but DoS the system itself) if > a vital file is overwritten. That's what I took as an example in the upstream thread as well: overwriting /etc/passwd is a local DoS. You write "create the needed directories", but if the program fails when the directory exists, this means that it isn't exploitable? -- Loïc Minier <[EMAIL PROTECTED]> "Forget your stupid theme park! I'm gonna make my own! With hookers! And blackjack! In fact, forget the theme park!" -- Bender -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]