Neven Sajko wrote:
I used makepkg to build a package from /tmp. The package was then put to the designated directory and a symlink to pwd. When I try to install it with pacman -U /tmp/symlink-to-package, I get an error (permission denied) which I don't get when invoking pacman -U directly with the name of the file (not with the symbolic link). See, like this:
[root@lnv64 tmp]# pacman -U /tmp/lomoco-1.0-9-x86_64.pkg.tar loading packages... error: '/tmp/lomoco-1.0-9-x86_64.pkg.tar': permission denied [...] So from this line: access("/tmp/lomoco-1.0-9-x86_64.pkg.tar", R_OK) = -1 EACCES (Permission denied) we see that the kernel call access() reports that root doesn't have read access to a 777-permissible file?! Maybe it matters that it's on tmpfs and/or a symlink?
This is probably due to the fs.protected_symlinks sysctl being turned on, which I believe it is by default in Arch. Most symlinks in world-writable sticky directories (like /tmp) are not followed except by processes running as the user that created them. This is to prevent common attacks where a privileged process tries to access what it thinks is not a symlink, but another process manages to insert a symlink to an unrelated file so that the privileged process performs the wrong access. It's not a good idea to build things directly in /tmp like that anyway, for more or less that reason. Creating a subdirectory of /tmp for each new "action" that needs temporary files is a better approach. ---> Drake Wilson