On Tue, Jan 22, 2002 at 01:59:44AM +0100, Christian Jaeger wrote: > I just wanted to point it out here, since I wasn't sure whether I > should file a bug report against fakeroot for writing suid through,
I consider it a bug; it's introducing a third permissions+ownership state that was requested by neither the author nor the builder of the package. e.g. A program may be safe to run setgid games, but i certainly don't want it setgid to my project group. The package didn't ask for it to be setgid to my project group, so it's not wrong; I didn't ask for it; so it's a fakeroot bug. IMHO. Nor is it s[ug]id specific; if fakeroot is setting on-disk ownerships different to those requested, it should be pessimistic and not grant any actual permissions to those on-disk files. Permissions and ownerships only make sense together. > or one for dpkg-buildpackage either for not mentioning the risk in the > manpage, or for not warning that the directory I'm using is world > accessible, or one for the debhelper scripts (? or? I don't know the > build process enough) for not creating the tmp folders 0700. It could be worse, most rpm's seem to build in 777 directories. Build processes just aren't safe to run in publicly accessible dirs. But this does not excuse fakeroot to make up its own perms. -- Colin Phipps PGP 0x689E463E http://www.netcraft.com/