| 1 |
On Fri, 12 Jan 2007 16:02:01 +0900 Georgi Georgiev <chutz@×××.net> |
| 2 |
wrote: |
| 3 |
| Why would it not be removed? Upstream installs in the sandbox, the |
| 4 |
| contents of the sandbox are recorded in the package database and |
| 5 |
| with collision-protect it will not override random stuff on my |
| 6 |
| computer. |
| 7 |
|
| 8 |
Unless upstream decides to override the sandbox sneakily, or uses one |
| 9 |
of the many tricks to get content onto the live filesystem that Portage |
| 10 |
won't handle. |
| 11 |
|
| 12 |
| If I uninstall the package without ever touching it, |
| 13 |
| everything will be removed. I do exclude the pkg_* phases from the |
| 14 |
| above, but we already agreed that nothing from upstream executes |
| 15 |
| there. |
| 16 |
|
| 17 |
Not true. Not in the sliiiiiightest bit true. There are approximately |
| 18 |
three zillion quirks in how Portage handles the merge which would allow |
| 19 |
one to slip something through the cracks. Examples include overwriting |
| 20 |
directories with files and installing non-(directories|symlinks|files). |
| 21 |
Or if you want examples that will also work with package managers that |
| 22 |
are more secure than Portage, think installing cron.d entries to create |
| 23 |
malicious content. |
| 24 |
|
| 25 |
| Still, your point makes sense. But I hope that you will agree that |
| 26 |
| as long as FEATURES=userpriv exists it should be enforced. If it can |
| 27 |
| be circumvented the FEATURE may as well be removed and the whole |
| 28 |
| problem dealt with. |
| 29 |
|
| 30 |
No. userpriv is a nice safety feature to prevent against *accidental* |
| 31 |
screwups, but it has absolutely no value as a security feature. There |
| 32 |
are a small number of occasions where it really does need to be |
| 33 |
disabled, and that option should be available for the ebuild author |
| 34 |
without the need to worry about silly users refusing to install the |
| 35 |
package merely because of their misunderstanding of what userpriv does. |
| 36 |
|
| 37 |
-- |
| 38 |
Ciaran McCreesh |
| 39 |
Mail : ciaranm at ciaranm.org |
| 40 |
Web : http://ciaranm.org/ |
| 41 |
Paludis, the secure package manager : http://paludis.pioto.org/ |
Archives