On Sun, 12 Sep 2010 09:33:39 0200, Max Horn wrote: > Here is one idea: Maybe we could insert our own custom chmod/chown scripts into the PATH used for building packages, with suid flag set, so that they can invoke the original chmod/chown with the appropriate rights. Of course that punches a hole into the "non-root" approach, but a relatively small one (as long as we don't do --b-a-n to prevent security holes, this is not a big issue, anyway). > We could also try to avoid that hole by filtering the path arguments passed to our chmod/chown/chgroup commands, to only accepts paths inside the build dir (or even only in the install dir). For that, in turn, some care would have to be taken to make sure callers can't "punch out" by using clever combos of ".." and symlinks. That could be done by using "readlink -f PATH" on each of the paths passed to the chmod util before matching it against the /sw/src/fink.build/%n-%v-%r prefix (or whatever the build dir is set to). Wouldn't a suid'ed "chown" allow any user to seize ownership of any file anywhere on the filesystem? Would have to be *very* careful to sanitize the allowable targets. But even still, it would allow some random user on a shared machine to take ownership of files in a build dir during the build process, and therefore own live files in /sw. Only safe way to have this sort of feature would be to have the suid-chown verify that the real user running it is fink-bld. If only the --build-as-nobody user can use it and nobody (except root) can become that user, we're essentially as safe as only allowing root to do chown. In addition to chown and chmod, we'd need install (its -o and -g flags always trip --build-as-nobody in imake projects) and chgrp. A second part of the process would have to involve changes to existing --b-a-n functionality: the reversion of builddir to root. Currently (approximately), --b-a-n switches to fink-bld for InstallScript and related actions, then 'chown -R root:admin $builddir' so that it is back to the normal state for live filesystem files. If we have chown'ed files to (for example) games, that would wipe the ownership anyway. Instead would have to replace the chown -R with one that only acted on files still owned by fink-bld (and separate similar control group). Not un-doable ('find' or a perl-equivalent implementation), just a TODO reminder. dan
-- Daniel Macks dma...@netspace.org ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Fink-devel mailing list Fink-devel@lists.sourceforge.net http://news.gmane.org/gmane.os.apple.fink.devel Subscription management: https://lists.sourceforge.net/lists/listinfo/fink-devel