Re: [arch-dev-public] [pacman-dev] pacman screws up permissions
On 6/20/07, Thomas Bächler <thomas.baechler@gmx.de> wrote:
I just installed the ntfs-3g package with pacman 3.0.5-1:
$ /bin/ls -lhF /bin/ntfs-3g /usr/man/man8/ntfs-3g.8.gz -rwxrwxrwx 1 root root 36K 20. Jun 01:45 /bin/ntfs-3g* -rwxrwxrwx 1 root root 3,0K 20. Jun 01:44 /usr/man/man8/ntfs-3g.8.gz*
The permissions in the tarfile are 755 for /bin/ntfs-3g (and I suppose they are 644 for the manpage, didn't check that). This behaviour can cause critical bugs and in this case is security-relevant, as a user could change the ntfs-3g binary, which is executed at boot time on many systems. This has to be fixed FAST.
Has anyone read my recent emails? I've said the same thing, and I think it is due to a "fix" that didn't get tested well in pacman 3.0.5. I think I'm going to roll back that fix tonight unless someone else can come up with a solution. Relevant stuff: http://archlinux.org/pipermail/arch-dev-public/2007-June/001048.html http://archlinux.org/pipermail/pacman-dev/2007-June/008567.html http://archlinux.org/pipermail/pacman-dev/2007-June/008567.html http://bugs.archlinux.org/task/7461 http://bugs.archlinux.org/task/7323 -Dan
On Wed, 20 Jun 2007, Dan McGee wrote:
On 6/20/07, Thomas Bächler <thomas.baechler@gmx.de> wrote:
I just installed the ntfs-3g package with pacman 3.0.5-1:
$ /bin/ls -lhF /bin/ntfs-3g /usr/man/man8/ntfs-3g.8.gz -rwxrwxrwx 1 root root 36K 20. Jun 01:45 /bin/ntfs-3g* -rwxrwxrwx 1 root root 3,0K 20. Jun 01:44 /usr/man/man8/ntfs-3g.8.gz*
The permissions in the tarfile are 755 for /bin/ntfs-3g (and I suppose they are 644 for the manpage, didn't check that). This behaviour can cause critical bugs and in this case is security-relevant, as a user could change the ntfs-3g binary, which is executed at boot time on many systems. This has to be fixed FAST.
Has anyone read my recent emails? I've said the same thing, and I think it is due to a "fix" that didn't get tested well in pacman 3.0.5. I think I'm going to roll back that fix tonight unless someone else can come up with a solution.
Relevant stuff: http://archlinux.org/pipermail/arch-dev-public/2007-June/001048.html http://archlinux.org/pipermail/pacman-dev/2007-June/008567.html http://archlinux.org/pipermail/pacman-dev/2007-June/008567.html http://bugs.archlinux.org/task/7461 http://bugs.archlinux.org/task/7323
-Dan
There was a related problem with a previous version of pacman. I haven't check if it's still there in pacman 3.05. REF: http://archlinux.org/pipermail/tur-users/2007-May/005205.html When doing chown and chmod on a file to add it to a group (with rw permissions) like so: -rw-rw-r-- root:adesklets the file was installed with the permissions/ownership of: -rw-r--r-- root:root even if doing tar -tzvf on the package would should the correct permission/ownership like Thomas said above. I wanted to test with a git checkout of pacman but haven't done it yet. There's definitely a problem with file permission/ownership that was introduced before the 3.05 release. Maybe the latest fixes made it worse. Eric -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On 6/20/07, Eric Belanger <belanger@astro.umontreal.ca> wrote:
On Wed, 20 Jun 2007, Dan McGee wrote:
On 6/20/07, Thomas Bächler <thomas.baechler@gmx.de> wrote:
I just installed the ntfs-3g package with pacman 3.0.5-1:
$ /bin/ls -lhF /bin/ntfs-3g /usr/man/man8/ntfs-3g.8.gz -rwxrwxrwx 1 root root 36K 20. Jun 01:45 /bin/ntfs-3g* -rwxrwxrwx 1 root root 3,0K 20. Jun 01:44 /usr/man/man8/ntfs-3g.8.gz*
The permissions in the tarfile are 755 for /bin/ntfs-3g (and I suppose they are 644 for the manpage, didn't check that). This behaviour can cause critical bugs and in this case is security-relevant, as a user could change the ntfs-3g binary, which is executed at boot time on many systems. This has to be fixed FAST.
Has anyone read my recent emails? I've said the same thing, and I think it is due to a "fix" that didn't get tested well in pacman 3.0.5. I think I'm going to roll back that fix tonight unless someone else can come up with a solution.
Relevant stuff: http://archlinux.org/pipermail/arch-dev-public/2007-June/001048.html http://archlinux.org/pipermail/pacman-dev/2007-June/008567.html http://archlinux.org/pipermail/pacman-dev/2007-June/008567.html http://bugs.archlinux.org/task/7461 http://bugs.archlinux.org/task/7323
-Dan
There was a related problem with a previous version of pacman. I haven't check if it's still there in pacman 3.05. REF: http://archlinux.org/pipermail/tur-users/2007-May/005205.html
When doing chown and chmod on a file to add it to a group (with rw permissions) like so: -rw-rw-r-- root:adesklets
the file was installed with the permissions/ownership of: -rw-r--r-- root:root
even if doing tar -tzvf on the package would should the correct permission/ownership like Thomas said above. I wanted to test with a git checkout of pacman but haven't done it yet.
There's definitely a problem with file permission/ownership that was introduced before the 3.05 release. Maybe the latest fixes made it worse.
Eric
Fixing now... -Dan
participants (2)
-
Dan McGee
-
Eric Belanger