Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Ned Ludd <solar@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] how to handle sensitive files when generating binary packages
Date: Wed, 20 Jun 2007 21:29:35
Message-Id: 1182373900.17528.45.camel@hangover
In Reply to: Re: [gentoo-dev] how to handle sensitive files when generating binary packages by Mike Frysinger
1 On Wed, 2007-06-20 at 15:57 -0400, Mike Frysinger wrote:
2 > On Wednesday 20 June 2007, Marius Mauch wrote:
3 > > Mike Frysinger <vapier@g.o> wrote:
4 > > > mayhaps we need a new function to be run in src_install() to label
5 > > > files as "sensitive" ... so baselayout would do:
6 > > > esosensitive /etc/{fstab,group,passwd,shadow}
7 > > > and then we expand the format of CONTENTS in the vdb:
8 > > > priv /etc/fstab <hash> <mtime>
9 > >
10 > > And what would be phase 2 of that? Just having a new filetype
11 > > in CONTENTS doesn't accomplish anything by itself ...
12 >
13 > updating any tool that creates binary packages from the live $ROOT of course
14 > silly billy
15 >
16 > current behavior:
17 > # quickpkg baselayout
18 > * Building package for sys-apps/baselayout-1.12.10-r4
19 > * Packages now in '/usr/portage/pacakges':
20 > * sys-apps/baselayout-1.12.10-r4: 307K
21 >
22 > proposed new behavior (exact output here is not part of the discussion so dont
23 > nit pick it):
24 > # quickpkg baselayout
25 > * Building package for sys-apps/baselayout-1.12.10-r4
26 > * Skipping sensitive file: /etc/passwd
27 > * Skipping sensitive file: /etc/shadow
28 > * Skipping sensitive file: /etc/group
29 > * Packages now in '/usr/portage/pacakges':
30 > * sys-apps/baselayout-1.12.10-r4: 307K
31 > # quickpkg --iamsensitive baselayout
32 > * Building package for sys-apps/baselayout-1.12.10-r4
33 > * Including sensitive file: /etc/passwd
34 > * Including sensitive file: /etc/shadow
35 > * Including sensitive file: /etc/group
36 > * Packages now in '/usr/portage/pacakges':
37 > * sys-apps/baselayout-1.12.10-r4: 307K
38
39 Suggestion:
40 If you go down this "sensitive" route. please ensure that the
41 generated.tbz2 is mode 600 to prevent exposing this sensitive
42 data more than need be.
43
44 --
45 Ned Ludd <solar@g.o>
46 Gentoo Linux
47
48 --
49 gentoo-dev@g.o mailing list

Replies

Subject Author
Re: [gentoo-dev] how to handle sensitive files when generating binary packages Mike Frysinger <vapier@g.o>
Report Message
Find on MARC Find on Google Groups