Re: Improving security for pkgsrc

To: tech-pkg%netbsd.org@localhost
Subject: Re: Improving security for pkgsrc
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Mon, 10 Aug 2015 01:27:19 +0200

			Hi tech-pkg@,

On 03/08/2015 14:31, Greg Troxel wrote:
>> I have tried both "make install" and "make package", and it worked in
>> both cases. Please correct me if I am wrong, but it seems that even if
>> destdir is not supported, the framework always installs files from the
>> staging area in ${WRKSRC}/${DESTDIR}. The executables are marked by
>> paxctl(8) permanently there. This is unlike chmod(1) for instance, which
>> does not modify the original file.
> 
> In general, is the notion that paxctl changes the actual binary, and
> there is no state anywhere else?

With the current implementation on NetBSD yes.

> Did you build a binary package, copy it to a different machine, and run
> it there?  I think that should work, but it's an obvious test to do.

I can confirm that it works.

> If destdir is not supported (which is getting to be a more and more
> unusual case), then the files are installed from WRKDIR into PREFIX.

That is what I observed, and it worked fine for me.

Can I commit this patch then?

Cheers,
-- 
khorben

Follow-Ups:
- Re: Improving security for pkgsrc
  - From: Greg Troxel

References:
- Improving security for pkgsrc
  - From: Pierre Pronchery
- Re: Improving security for pkgsrc
  - From: Pierre Pronchery
- Re: Improving security for pkgsrc
  - From: Thomas Klausner
- Re: Improving security for pkgsrc
  - From: Pierre Pronchery
- Re: Improving security for pkgsrc
  - From: Greg Troxel

Prev by Date: Re: netbsd32_compat packages
Next by Date: OWN_DIRS prunes /var/tmp (PR 35340)
Previous by Thread: Re: Improving security for pkgsrc
Next by Thread: Re: Improving security for pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index