On Sun, 12 Sep 2010 09:33:39 0200, Max Horn wrote:
> Here is one idea: Maybe we could insert our own custom chmod/chown
scripts into the PATH used for building packages, with suid flag set,
so that they can invoke the original chmod/chown with the appropriate
rights. Of course that punches a hole into the "non-root" approach, but
a relatively small one (as long as we don't do --b-a-n to prevent
security holes, this is not a big issue, anyway).
> We could also try to avoid that hole by filtering the path
arguments passed to our chmod/chown/chgroup commands, to only accepts
paths inside the build dir (or even only in the install dir). For that,
in turn, some care would have to be taken to make sure callers can't
"punch out" by using clever combos of ".." and symlinks. That could be
done by using "readlink -f PATH" on each of the paths passed to the
chmod util before matching it against the /sw/src/fink.build/%n-%v-%r
prefix (or whatever the build dir is set to).
Wouldn't a suid'ed "chown" allow any user to seize ownership of any
file anywhere on the filesystem? Would have to be *very* careful to
sanitize the allowable targets. But even still, it would allow some
random user on a shared machine to take ownership of files in a build
dir during the build process, and therefore own live files in /sw. Only
safe way to have this sort of feature would be to have the suid-chown
verify that the real user running it is fink-bld. If only the
--build-as-nobody user can use it and nobody (except root) can become
that user, we're essentially as safe as only allowing root to do chown.
In addition to chown and chmod, we'd need install (its -o and -g flags
always trip --build-as-nobody in imake projects) and chgrp.
A second part of the process would have to involve changes to existing
--b-a-n functionality: the reversion of builddir to root. Currently
(approximately), --b-a-n switches to fink-bld for InstallScript and
related actions, then 'chown -R root:admin $builddir' so that it is
back to the normal state for live filesystem files. If we have chown'ed
files to (for example) games, that would wipe the ownership anyway.
Instead would have to replace the chown -R with one that only acted on
files still owned by fink-bld (and separate similar control group). Not
un-doable ('find' or a perl-equivalent implementation), just a TODO
reminder.
dan
--
Daniel Macks
dma...@netspace.org
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Fink-devel mailing list
Fink-devel@lists.sourceforge.net
http://news.gmane.org/gmane.os.apple.fink.devel
Subscription management:
https://lists.sourceforge.net/lists/listinfo/fink-devel
