[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Removing %clean




On May 26, 2009, at 3:50 PM, Till Maas wrote:

On Di Mai 26 2009, Björn Persson wrote:
Tom "spot" Callaway wrote:
   mkdir -p `dirname "$RPM_BUILD_ROOT"`\
   mkdir "$RPM_BUILD_ROOT"\

Is that somehow better than just «mkdir -p "$RPM_BUILD_ROOT"»? Just
curious.

It prevents a race condition in case that $(dirname "$RPM_BUILD_ROOT") already exists or if all directories in the path to this directory are only writable by trustworthy users. In the default configuration, this was the / var/tmp directory, where every user could create a directory, make it writable for others and sneak content into the final rpm. Here is an explation, why 'mkdir
-p "$RPM_BUILD_ROOT"' is vulnerable:

http://lists.opensuse.org/opensuse-packaging/2007-02/msg00005.html

Or polyinstantiate /var/tmp

joe




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]