tech-pkg: strange permissions difference between /var/db/pkg and the package archive

Subject: strange permissions difference between /var/db/pkg and the package archive
To: NetBSD Packages Technical Discussion List <tech-pkg@NetBSD.ORG>
From: Greg A. Woods <woods@most.weird.com>
List: tech-pkg
Date: 04/20/1999 19:20:59
This is partially a security concern, but I doubt too many people use
binary packages just yet, so I've not posted this to tech-security.

The following is a listing of the first few files in the archive file of
a package I've been working on (i.e. the result of "make package").
Notice that I own a few of those files:

	17:58 [74] $ pax -vzf ../../packages/All/mypkg-0.1.tgz | head -9
	-rw-r--r--  1 root     wheel      27787 Apr 20 17:44 +CONTENTS
	-rw-r--r--  1 root     wheel         50 Apr 20 17:44 +COMMENT
	-rw-r--r--  1 root     wheel       1352 Apr 20 17:44 +DESC
	-rw-r--r--  1 woods    wheel       2244 Apr 20 17:41 +INSTALL
	-rw-r--r--  1 woods    wheel        911 Apr 20 17:41 +REQUIRE
	-rw-r--r--  1 woods    wheel       1155 Apr 20 17:41 +DISPLAY
	-rw-r--r--  1 woods    wheel       3256 Jan  7 00:30 +MTREE_DIRS
	-rw-r--r--  1 root     wheel        816 Apr 20 17:43 +BUILD_VERSION
	-rw-r--r--  1 root     wheel        563 Apr 20 17:43 +BUILD_INFO

Even more disconcerting:  I still own those files in /var/db/pkg after
the binary package is installed:

	binary-machine [618] # ls -l /var/db/pkg/mypkg-0.1/
	total 74
	-rw-r--r--  1 root   wheel    563 Apr 20 17:43 +BUILD_INFO
	-rw-r--r--  1 root   wheel    816 Apr 20 17:43 +BUILD_VERSION
	-rw-r--r--  1 root   wheel     50 Apr 20 17:44 +COMMENT
	-rw-r--r--  1 root   wheel  27787 Apr 20 18:36 +CONTENTS
	-rw-r--r--  1 root   wheel   1352 Apr 20 17:44 +DESC
	-rw-r--r--  1 woods  wheel   1155 Apr 20 17:41 +DISPLAY
	-rwxr-xr-x  1 woods  wheel    911 Apr 20 17:41 +REQUIRE
	-rw-r--r--  1 root   wheel     24 Apr 20 18:38 +REQUIRED_BY

Oddly enough the files in the build machine's /var/db/pkg are owned by
root, just as one might expect:

	build-machine [2093] # ls -l /var/db/pkg/mypkg-0.1
	total 76
	-rw-r--r--  1 root  wheel    563 Apr 20 17:43 +BUILD_INFO
	-rw-r--r--  1 root  wheel    816 Apr 20 17:43 +BUILD_VERSION
	-rw-r--r--  1 root  wheel     50 Apr 20 17:43 +COMMENT
	-rw-r--r--  1 root  wheel  27542 Apr 20 18:49 +CONTENTS
	-rw-r--r--  1 root  wheel   1352 Apr 20 17:43 +DESC
	-rw-r--r--  1 root  wheel   1155 Apr 20 17:43 +DISPLAY
	-rwxr-xr-x  1 root  wheel   2244 Apr 20 17:43 +INSTALL
	-rwxr-xr-x  1 root  wheel    911 Apr 20 17:43 +REQUIRE

Yes, the "make package" and the "pkg_add" were both run by root.

Note also that the +INSTALL script is only found on the build machine
and isn't copied into /var/db/pkg on a binary-only machine.  I think I
mentioned this before, and I think it's a bug too -- the +INSTALL script
should be preserved, not only so it can be displayed with "pkg_info -i"
on any machine, but also so that it might be possible to reproduce a
binary package on a binary-only machine (which has several interesting
uses, not the least of which is to make it easier to verify that the
construction of the package is correct and that the pkgsrc Makefile
isn't doing anything that should be done in the +INSTALL or +REQUIRE
scripts.

I'll probably hack a bit on these problems, but I don't have a fix yet.

I'd also like to propose that the "REQUIRE" script be called "REQUIRE",
not "REQ" in pkgsrc (or alternately that it be called "REQ" everywhere),
but of course that's really a separate issue.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>