CAUTION!! giant security hole awaits! I've just discovered that recent Poky/Yocto runs 'devshell' as ROOT!
If I run 'bitbake SOME-RECIPE -c devshell' with a somewhat older metadata (poky rev 09359e6ec00901abfe49157f1f9730117b4d284b) the shell is run using my user id. With a newer poky rev 90b98764555945a186562ca8d501a9585ce2b23f, the shell runs as 'root'. This change came with this revision: commit 4dc31a327be1a506e78e1d028db08ceee22a216f Author: Richard Purdie <richard.pur...@linuxfoundation.org> Date: Thu Mar 28 13:17:12 2013 +0000 base.bbclass: When we use fakeroot, also use it for devshell Its generally useful for devshell to end up in the fakeroot environment. If a user needs to exit it, PSEUDO_UNLOAD=1 <command> works, its usually harder to enter the envionment. [YOCTO #3374] (From OE-Core rev: e6ffc747a8ca5142c9bc6fbd2b06b5808bb38b02) Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org> Isn't this a horrible security flaw? Or is 'fakeroot' actually safe? The change description doesn't tell me why it's "useful". Whatever the case, to me at least it's very unnerving... -- ------------------------------------------------------------ Gary Thomas | Consulting for the MLB Associates | Embedded world ------------------------------------------------------------ _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto