[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-buildpackage (-rfakeroot) leaves setuid binaries

On Tuesday, 2002-01-22 at 01:11:18 +0100, Christian Jaeger wrote:

> (BTW a somewhat similar problem (but not debian specific) exists with 
> the perl CPAN module build process: -MCPAN is designed to work as 
> root. It downloads the tarball, extracts it (with the user/group that 
> the author packed them) as root, thus you are left with files 
> belonging to random system users. -MCPAN doesn't take any precautions 
> to protect the .cpan/build/ folder, thus with a bit luck some user on 
> the system can modify the unpacked files before they are 
> built/installed by root.)

You do not need to run the CPAN build process as root. You *mey*
need the root account to install the packages (which, I admit, is
conveniently done from the CPAM.pm module).

Now, if your site specific CPAN directories do not belong to root,
you don't need even that. However, if then other perl library
directories *are* owned by root, you have trouble with new versions
of Perl Core modules - perl will always pick the old ones in
the system library directories because of the standard @INC.

Should those directories be owned by a "perl owner" use in Debian
to prevent possible exploits from Perl modules? It's easy to
catch somebody unawares from a Makefile.PL.

Lupe Christoph
| lupe@lupe-christoph.de       |        http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a      |
| Bat-Leth contest on the holodeck. They will not concern us again.      |
| http://public.logica.com/~stepneys/joke/klingon.htm                    |

Reply to: