[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#58640: wrapper does not handle fakeroot well

On Mon, Feb 21, 2000 at 11:09:22PM -0900, Ethan Benson wrote:
> On Tue, Feb 22, 2000 at 09:31:22AM +0200, Fabrizio Polacco wrote:
> > 
> > Jeah, it's because of the test 
> > 
> > 	[ `id -u` = 0 ] 
> > 
> > Joost, is there a simple way to test if a "root" is a "fakeroot"
> > instead?
> I am the one who suggested this test over the flawed writablity of
> /root, and I knew this would not work with fakeroot, but come on,
> please tell me one valid reason for running your shell through
> fakeroot? that is just plain silly and you get what you deserve for
> doing it IMO.
> fakeroot is for building packages as a non root user and ensuring that
> the files are owned by the proper users, i cannot think of any reason
> why dpkg-buildpackage would need to go read a manpage while doing
> this.
> this sounds like a complete non-issue IMO.

I understand this and I can even sympathize, but ...
... there is an issue.
Please remember that the wrapper si no only man, but also mandb.
mandb has an option -t which can be usefull to test a man hierarchy to
search for not parsable manpages or broken links.
For example you can run mandb -c -t debian/tmp/usr/share/man  within
your build, as a test case.
See the point? It will run under fakeroot.

> > >From a shell script or even from a C prog (I'm convincing myself that I
> > need to rewrite the wrapper in C and make it suid nobody ... or forget
> > this wrapper stuff at all :-).
> suid nobody will bring back the original reason for the wrapper in the
> first place, the concern was if uid man was compromised it can replace
> the man binaries since it owns them, if it were suid nobody if nobody
> were compromised it could replace the man binary with a trojan.

So let's forget this wrapper stuff and go back to plain old setuid man
man prog.
this for potato.
I will try to ave a setgid man and mandb for woody. then when it's
tested we can even make a potato security update.
But now we are only adding grave and important bugs and just delaying

| fab@pukki.ntc.nokia.com                     fpolacco@debian.org
| pgp: 6F7267F5   57 16 C4 ED C9 86 40 7B 1A 69 A1 66 EC FB D2 5E
| fabrizio.polacco@nokia.com             gsm: +358 (0)40 707 2468

Reply to: