[Rpm-maint] [rpm-software-management/rpm] Private /tmp directory for scriptlets (PR #2617)
Johannes Segitz
notifications at github.com
Wed Aug 16 12:04:42 UTC 2023
Ensure a private /tmp directory is used for each scriptlet that is run during installation. Sometimes packagers place vulnerable code in these snippets that operates naively on /tmp and allows for escalation of privileges for local users.
This is intended as POC/RFC. We monitor the %post etc. scriptlets added by our maintainers and regularly identify issues with those. Not all will be fixed with this (everything that operates out of /tmp can still cause issues), but the hope is to at least prevent issues in /tmp once and for all.
We applied this patch to openSUSE Tumbleweed, build the distribution with it and ran several openQA test suites on this (e.g. https://openqa.opensuse.org/tests/3507153) without seeing any issues. But I assume that getting this upstream might require changes due to reasons outlines in the contributing guidelines, but I hope we can enable this by default
I assume that there will need to be a way to opt out of this via a cmd argument, but didn't implement this yet.
You can view, comment on, or merge this pull request online at:
https://github.com/rpm-software-management/rpm/pull/2617
-- Commit Summary --
* Private /tmp directory for scriptlets
-- File Changes --
M lib/transaction.c (39)
-- Patch Links --
https://github.com/rpm-software-management/rpm/pull/2617.patch
https://github.com/rpm-software-management/rpm/pull/2617.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2617
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/2617 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230816/184a7a85/attachment-0001.html>
More information about the Rpm-maint
mailing list