https://bugzilla.redhat.com/show_bug.cgi?id=1304882
--- Comment #26 from Zbigniew Jędrzejewski-Szmek <zbys...@in.waw.pl> ---
(In reply to Ludwig Nussel from comment #22)
> If you prefer logging to the journal ie stdout feel free let your openQA
> package do that instead.
That would seem like the best option, unless openqa generates huge amounts of
logs. How much logs does openqa generate? logrotate is annoying, the journal is
much nicer to use.
(In reply to awill...@redhat.com from comment #17)
> I still don't entirely grok that 'subdirectory ownership' thing, but I asked
> on #yum, and mls said:
>
> <mls> 06:09:12> adamw: I guess this is about subdirectories which include
> other files/directories also packaged in rpm
> <mls> 06:10:26> I think the security issue is that the non-root user can
> modify the directory while rpm messes (as root) with the directory contents
> 06:10:48> e.g. creates symlinks and the like.
Oh, OK, I think I get it now. Let's say that we have user-owned /var/a in
%files, and then /var/a/b/file in %files. The user can rename /var/a/b to
/var/a/b.old, create /var/a/b, and e.g. symlink /var/a/b/file → /etc/passwd.
When rpm updates /var/a/file during package upgrade it will trash /etc/passwd.
Similar considerations would hold for a subdirectory inside a user-owned
directory. At least it allows the user to cause rpm to write files to arbitrary
directories in the filesystem. I'm not sure if it's possible to carry out the
attack with just one level of nesting. Maybe, it probably depends on the order
in which rpm does operations and whether it uses O_EXCL.
Anyway, I think that the last version is OK, only leaf directories are owned by
geekotest.
> I'll note that the Wordpress package has something very similar to what this
> now has:
>
> %dir %attr(0775,apache,ftp) %{wp_content}/plugins
> %dir %attr(0775,apache,ftp) %{wp_content}/themes
> %dir %attr(0775,apache,ftp) %{wp_content}/upgrade
> %dir %attr(0775,apache,ftp) %{wp_content}/uploads
>
> so either it's not really a problem or every Fedora wordpress instance in
> the world is vulnerable to it :)
In this snippet there is no nesting, so it's not relevant. But I wouldn't use
wordpress to prove security anyway ;)
--
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
_______________________________________________
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review
