Re: dpkg-buildpackage (-rfakeroot) leaves setuid binaries
On Tuesday, 2002-01-22 at 01:11:18 +0100, Christian Jaeger wrote:
> (BTW a somewhat similar problem (but not debian specific) exists with
> the perl CPAN module build process: -MCPAN is designed to work as
> root. It downloads the tarball, extracts it (with the user/group that
> the author packed them) as root, thus you are left with files
> belonging to random system users. -MCPAN doesn't take any precautions
> to protect the .cpan/build/ folder, thus with a bit luck some user on
> the system can modify the unpacked files before they are
> built/installed by root.)
You do not need to run the CPAN build process as root. You *mey*
need the root account to install the packages (which, I admit, is
conveniently done from the CPAM.pm module).
Now, if your site specific CPAN directories do not belong to root,
you don't need even that. However, if then other perl library
directories *are* owned by root, you have trouble with new versions
of Perl Core modules - perl will always pick the old ones in
the system library directories because of the standard @INC.
Should those directories be owned by a "perl owner" use in Debian
to prevent possible exploits from Perl modules? It's easy to
catch somebody unawares from a Makefile.PL.
Lupe Christoph
--
| lupe@lupe-christoph.de | http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a |
| Bat-Leth contest on the holodeck. They will not concern us again. |
| http://public.logica.com/~stepneys/joke/klingon.htm |
Reply to: