Date: Thu, 4 May 2000 12:36:48 -0700 (PDT) From: Jin Guojun (FTG staff) <jin@george.lbl.gov> To: n_hibma@calcaphon.com, nbm@mithrandr.moria.org Cc: freebsd-bugs@FreeBSD.ORG Subject: Re: bin/18373: pkg_delete shouldn't insist on root Message-ID: <200005041936.MAA09285@george.lbl.gov>
next in thread | raw e-mail | index | archive | help
On Thu 2000-05-04 Neil Blakey-Milner wrote: > > You can't update /var/db/pkgs in that case. I think. In any case, part > > of the update needs to be done as root, so pkg_delete has to switch user > > every so often to do the right thing. > > No, it doesn't. You should read the pkg_delete man page, and look at > the PKG_DBDIR environment variable, and the fact pkg_delete isn't > setuid. It isn't a security concern. It doesn't let users do anything > more than they usually can. It just lets them use a tool to ease > automation of what they'd have to do themselves. > > Neil > -- ll /var/db total 6 drwxr-xr-x 3 root wheel 512 Apr 21 10:23 ./ drwxr-xr-x 18 root wheel 512 Apr 18 02:31 ../ -rw-rw-r-- 1 nobody wheel 0 Apr 18 04:16 locate.database -rw-r--r-- 1 root wheel 0 Apr 21 12:00 mountdtab drwxr-xr-x 47 root wheel 1536 Apr 21 18:38 pkg/ -rw-r--r-- 1 root wheel 9 Apr 18 04:12 port.mkversion -rw-r--r-- 1 root wheel 256 May 4 08:05 statd.status If a user wants to do pkg_delete without root privilege, the /var/db/pkg has to be world rw-able, then every one can adding/removing stuff from /var/db/pkg directory. This situation is not acceptable. -Jin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005041936.MAA09285>