Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RPM building races

From: Jim Knoble <jmknoble () jmknoble cx>
Date: Tue, 20 Mar 2001 13:49:55 -0500
Circa 2001-Mar-19 18:52:11 +0000 dixit Ian Lynagh:

: Today it became necessary for me to build an RPM for the first time.
: To assist my learning I chose, randomly, gzip and had a look at it's
: spec file in conjunction with reading the various documentation. The
: first time I saw the reference to /tmp and /var/tmp I was worried,
: and still don't see why ./redhat isn't used in the same way as
: ./debian/tmp is. [...]
:
: [...] To exploit this race for real is difficult, and you need an account
: on the machine in question, but even so I think problems like these
: should be fixed. There may also be easier races in other packages. I
: am not overly familiar with RPM, but I think the easiest solution
: would be to set the default buildroot on all packages to be
: something like ./rpm-building/%{package} or, slightly more work, to
: make sure the buildroot is secure before you do anythign else in
: there.
:
: I have not given vendors advanced warning as their build environments
: are presumably secure, while it is the many sysadmins building RPMs
: out there on user machines who are the ones under threat.

Several things:

  (1) You shouldn't build software on a production machine.  Ever.

  (2) You shouldn't build software from specfiles on any machine
      without inspecting the specfile.  Thoroughly.  Ever.

  (3) Many recent specfiles use the '%{_tmpdir}' macro for BuildRoot;
      for example:

        BuildRoot: %{_tmpdir}/%{name}-%{version}-%{release}

      %{_tmpdir} defaults to /var/tmp/; it's easy enough to change:

        cat >>~/.rpmmacros <<EOF
        %HOME %{expand:%%(cd; pwd)}
        %_tmpdir %{HOME}/tmp
        EOF

  (4) rpm has supported a '--buildroot' command-line option to override
      the value of BuildRoot: since at least 1998.  Here's how to use it:

        rpm -ba --buildroot='${HOME}/tmp/blah' blah.spec

  (5) You shouldn't build and package software using RPM as a
      privileged user.  Ever.  (Well, okay---rarely).  Here's how not to:

        mkdir -p ~/rpm/{BUILD,RPMS/{i386,noarch},SOURCES,SPECS,SRPMS}
        cat >>~/.rpmmacros <<EOF
        %HOME %{expand:%%(cd; pwd)}
        %_topdir %{HOME}/rpm
        EOF

There really aren't any surprises here at all.  Savvy sysadmins don't
build software on systems with untrusted user accounts.

--
jim knoble | jmknoble () jmknoble cx | http://www.jmknoble.cx/
Previous By Date Next
Previous By Thread Next

Current thread: