[arch-commits] Commit in modclean/trunk (PKGBUILD)
Levente Polyak
anthraxx at archlinux.org
Sat Feb 6 17:06:11 UTC 2021
Date: Saturday, February 6, 2021 @ 17:06:11
Author: anthraxx
Revision: 846923
upgpkg: modclean 3.0.0beta.1-3: fix files owned by uid 1000
This has serious security implications as the ownership means files are
writable by an unprivileged user and contain code breaking intended privilege
boundaries.
Modified:
modclean/trunk/PKGBUILD
----------+
PKGBUILD | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2021-02-06 17:04:34 UTC (rev 846922)
+++ PKGBUILD 2021-02-06 17:06:11 UTC (rev 846923)
@@ -2,7 +2,7 @@
pkgname=modclean
pkgver=3.0.0beta.1
-pkgrel=2
+pkgrel=3
pkgdesc='Remove unwanted files and directories from your node_modules folder'
arch=('any')
url='https://github.com/ModClean/modclean'
@@ -22,4 +22,8 @@
sed -e "s|${srcdir}|/|" -i package.json
find node_modules -name 'package.json' -exec sed -e "s|${pkgdir}||" -i {} \;
./bin/modclean.js -r -a '.bin,bin.js' --ignore='license'
+
+ # npm gives ownership of ALL FILES to build user
+ # https://bugs.archlinux.org/task/63396
+ chown -R root:root "${pkgdir}"
}
More information about the arch-commits
mailing list