Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Mike Frysinger <vapier@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] how to handle sensitive files when generating binary packages
Date: Wed, 20 Jun 2007 21:42:01
Message-Id: 200706201738.07908.vapier@gentoo.org
In Reply to: Re: [gentoo-dev] how to handle sensitive files when generating binary packages by Ned Ludd
1 On Wednesday 20 June 2007, Ned Ludd wrote:
2 > On Wed, 2007-06-20 at 15:57 -0400, Mike Frysinger wrote:
3 > > On Wednesday 20 June 2007, Marius Mauch wrote:
4 > > > Mike Frysinger <vapier@g.o> wrote:
5 > > > > mayhaps we need a new function to be run in src_install() to label
6 > > > > files as "sensitive" ... so baselayout would do:
7 > > > > esosensitive /etc/{fstab,group,passwd,shadow}
8 > > > > and then we expand the format of CONTENTS in the vdb:
9 > > > > priv /etc/fstab <hash> <mtime>
10 > > >
11 > > > And what would be phase 2 of that? Just having a new filetype
12 > > > in CONTENTS doesn't accomplish anything by itself ...
13 > >
14 > > updating any tool that creates binary packages from the live $ROOT of
15 > > course silly billy
16 > >
17 > > current behavior:
18 > > # quickpkg baselayout
19 > > * Building package for sys-apps/baselayout-1.12.10-r4
20 > > * Packages now in '/usr/portage/pacakges':
21 > > * sys-apps/baselayout-1.12.10-r4: 307K
22 > >
23 > > proposed new behavior (exact output here is not part of the discussion so
24 > > dont nit pick it):
25 > > # quickpkg baselayout
26 > > * Building package for sys-apps/baselayout-1.12.10-r4
27 > > * Skipping sensitive file: /etc/passwd
28 > > * Skipping sensitive file: /etc/shadow
29 > > * Skipping sensitive file: /etc/group
30 > > * Packages now in '/usr/portage/pacakges':
31 > > * sys-apps/baselayout-1.12.10-r4: 307K
32 > > # quickpkg --iamsensitive baselayout
33 > > * Building package for sys-apps/baselayout-1.12.10-r4
34 > > * Including sensitive file: /etc/passwd
35 > > * Including sensitive file: /etc/shadow
36 > > * Including sensitive file: /etc/group
37 > > * Packages now in '/usr/portage/pacakges':
38 > > * sys-apps/baselayout-1.12.10-r4: 307K
39 >
40 > Suggestion:
41 > If you go down this "sensitive" route. please ensure that the
42 > generated.tbz2 is mode 600 to prevent exposing this sensitive
43 > data more than need be.
44
45 that's a different bug which is already being addressed (and which lead me
46 down this line of thinking in the first place) ...
47 -mike

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups