[Rpm-maint] [rpm-software-management/rpm] Private /tmp directory for scriptlets (PR #2617)

Johannes Segitz notifications at github.com
Wed Aug 16 12:04:42 UTC 2023


Ensure a private /tmp directory is used for each scriptlet that is run during installation. Sometimes packagers place vulnerable code in these snippets that operates naively on /tmp and allows for escalation of privileges for local users.

This is intended as POC/RFC. We monitor the %post etc. scriptlets added by our maintainers and regularly identify issues with those. Not all will be fixed with this (everything that operates out of /tmp can still cause issues), but the hope is to at least prevent issues in /tmp once and for all.

We applied this patch to openSUSE Tumbleweed, build the distribution with it and ran several openQA test suites on this (e.g. https://openqa.opensuse.org/tests/3507153) without seeing any issues. But I assume that getting this upstream might require changes due to reasons outlines in the contributing guidelines, but I hope we can enable this by default

I assume that there will need to be a way to opt out of this via a cmd argument, but didn't implement this yet.
You can view, comment on, or merge this pull request online at:

  https://github.com/rpm-software-management/rpm/pull/2617

-- Commit Summary --

  * Private /tmp directory for scriptlets

-- File Changes --

    M lib/transaction.c (39)

-- Patch Links --

https://github.com/rpm-software-management/rpm/pull/2617.patch
https://github.com/rpm-software-management/rpm/pull/2617.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2617
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/2617 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230816/184a7a85/attachment-0001.html>


More information about the Rpm-maint mailing list