[Rpm-maint] Automatic BuildRoot by default?
Panu Matilainen
pmatilai at redhat.com
Fri Jun 13 06:19:09 UTC 2008
On Thu, 12 Jun 2008, Stanislav Brabec wrote:
> Tom "spot" Callaway wrote:
>> On Thu, 2008-06-12 at 14:48 +0200, Jindrich Novy wrote:
>>
>>> Opinions?
>>
>> One of the reasons why the mktemp option is appealing is because it is
>> not predictable, and helps lessen the security risks of knowing where
>> the buildroot is going to be and inserting malicious files.
>
> This security problem exists from the early rpm versions and comes from
> lines:
> %install
> rm -rf $RPM_BUILD_ROOT
> mkdir -p $RPM_BUILD_ROOT
>
> Anybody can use race condition to create more permissive directory.
That assumes "anybody" can create directories in the buildroot root, which
of course is the case with the now typical %{_tmppath}/%{name}....
buildroot. The situation is fairly different with the suggested
%{_topdir}/BUILDROOT/<something> buildroot as %{_topdir} is typically more
or less private: keep in mind that in rpm.org HEAD the default %{_topdir}
is defined as "%(echo $HOME)/rpmbuild" so unless overridden, it's "safe
ground".
Of course it's still possible to override the topdir to something that's
shared between different users, but it's still a different game from
current %{_tmppath} use: I wouldn't expect people to share their
%{_topdir} with malicious users (if they do, that's their headache).
> Using mktemp() and keeping these lines in spec files will not improve
> security in any way.
Yes, IF mktemp() is used in a shared directory such as /tmp or
/var/tmp. In the case of %{_topdir}/BUILDROOT/%{name}....XXXXXX it doesn't
really improve security either, it just ensures a fully clean buildroot
for a package (even if you forget to add the two lines at beginning of
%install, something that happens to me every now and then ;) and makes
sure packages are "buildroot clean", ie aren't playing dumb games with
hardcoded assumptions.
Whether those "advantages" are worth breaking --short-circuit I dunno - I
certainly use -bi --short-circuit all the time to test %install/%files
correctness and would miss it sorely. One possibility would be using a
non-predictable buildroot only for --rebuild but...
> Secure build implies change of spec coding style. If rpmbuild itself
> will do rmdir()+mkdir() safely (correct privileges, force fail if
> directory exists and it is not possible to remove it), then the worst
> problem with the static BuildRoot is a DoS. I think that local DoS on
> rpmbuild is not a problem, because it already exists: one user adding
> foo.spec to SPECS makes impossible to build foo by anybody else.
>
> The "safe BuildRoot create" patch already exists in openSUSE.
Oh, I've somehow missed that entirely (I do every now and then look at
what distros are patching rpm with :), I'll have a look.
>> The only reason we use mktemp in there is because we couldn't make rpm
>> code changes to use the native glibc functions. As to rpm
>> --short-circuit, well, I honestly think we should think long and hard
>> about whether we want to keep it around.
>
> If mktemp() would be preferred anyway, rpmbuild could store
> package<->buildroot map in home directory. But I think, that it is an
> overkill, as build directories and source directories are static.
Yeah, sounds like an overkill to me too.
- Panu -
More information about the Rpm-maint
mailing list