[Fedora-packaging] buildroot race condition
opensource at till.name
Mon Mar 12 21:20:22 UTC 2007
On Mo März 12 2007, Tom 'spot' Callaway wrote:
> However, we're talking about someone performing an operation in a very
> tiny gap. It's just as likely that they would manually replace files at
This can be easily automated,
> any point in the process, or to argue that someone might rm -rf
> $RPM_BUILD_ROOT behind my back.
while this normally is not possible with correct/normal file permissions.
> Basically, what I'm saying is that this "race" is so unlikely, I don't
> think we need to bother to go out of our way to prevent it.
The fix is very easy, just add one line with mkdir.
> It would be far easier for an attacker to leverage wildcarding in %files
> while a package is building, wait for it to perform make install, then
> slide in their malicious bits.
This is also not possible with normal file permissions,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the Fedora-packaging