[Rpm-maint] [rpm-software-management/rpm] RFE: run scriptlets in selective filesystem isolation (Issue #2665)

Panu Matilainen notifications at github.com
Fri Sep 15 06:56:50 UTC 2023


Inspired by https://github.com/rpm-software-management/rpm/pull/2617:

Scriptlets sometimes use /tmp insecurely, on platforms that support it (Linux at least) we could run scriptlets with private /tmp to enforce the matter.

Another,a kind of an opposite, use-case could be protect /home against naughty packages trying to peek in there (which they have absolutely zero business doing): just give scriptlets a private /home.

This could be easily made configurable so people can tune + protect for local needs.

To cover all scriptlets, we'd need #2635 first. Whether that's an actual blocker is a separate question, it doesn't have to be an all-or-nothing thing.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2665
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2665 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230914/9d370919/attachment-0001.html>


More information about the Rpm-maint mailing list