1 |
On Fri, 12 Jan 2007 16:02:01 +0900 Georgi Georgiev <chutz@×××.net> |
2 |
wrote: |
3 |
| Why would it not be removed? Upstream installs in the sandbox, the |
4 |
| contents of the sandbox are recorded in the package database and |
5 |
| with collision-protect it will not override random stuff on my |
6 |
| computer. |
7 |
|
8 |
Unless upstream decides to override the sandbox sneakily, or uses one |
9 |
of the many tricks to get content onto the live filesystem that Portage |
10 |
won't handle. |
11 |
|
12 |
| If I uninstall the package without ever touching it, |
13 |
| everything will be removed. I do exclude the pkg_* phases from the |
14 |
| above, but we already agreed that nothing from upstream executes |
15 |
| there. |
16 |
|
17 |
Not true. Not in the sliiiiiightest bit true. There are approximately |
18 |
three zillion quirks in how Portage handles the merge which would allow |
19 |
one to slip something through the cracks. Examples include overwriting |
20 |
directories with files and installing non-(directories|symlinks|files). |
21 |
Or if you want examples that will also work with package managers that |
22 |
are more secure than Portage, think installing cron.d entries to create |
23 |
malicious content. |
24 |
|
25 |
| Still, your point makes sense. But I hope that you will agree that |
26 |
| as long as FEATURES=userpriv exists it should be enforced. If it can |
27 |
| be circumvented the FEATURE may as well be removed and the whole |
28 |
| problem dealt with. |
29 |
|
30 |
No. userpriv is a nice safety feature to prevent against *accidental* |
31 |
screwups, but it has absolutely no value as a security feature. There |
32 |
are a small number of occasions where it really does need to be |
33 |
disabled, and that option should be available for the ebuild author |
34 |
without the need to worry about silly users refusing to install the |
35 |
package merely because of their misunderstanding of what userpriv does. |
36 |
|
37 |
-- |
38 |
Ciaran McCreesh |
39 |
Mail : ciaranm at ciaranm.org |
40 |
Web : http://ciaranm.org/ |
41 |
Paludis, the secure package manager : http://paludis.pioto.org/ |