+2005-10-03 Frank Lichtenheld <djpig@debian.org>
+
+ * scripts/dpkg-source.pl: Try to chown files extracted from
+ a tar file to the uid and gid of the user. This should make
+ dpkg-source -x safer to use as root. Also create the temporary
+ directory mode 0700 to not allow anyone exploiting races
+ between the extraction and the chown.
+
2005-08-27 Frank Lichtenheld <djpig@debian.org>
- * scripts/dpkg-gencontrol: Bail out with an error if parsedep
- found an error while parsing a dependency field.
+ * scripts/dpkg-gencontrol: Bail out with an error if parsedep
+ found an error while parsing a dependency field.
2005-08-17 Scott James Remnant <scott@netsplit.com>
[Frank Lichtenheld]
* Let dpkg-gencontrol bail out with an error if parsedep
found an error while parsing a dependency field. Closes: #228125
+ * dpkg-source -x now tries to chown all files extracted from
+ tar files. The temporary directory is now created with mode
+ 0700, too. Together this should make it safer to run
+ dpkg-source -x as root. Based on suggestions by Marcus
+ Brinkmann and Colin Watson. Closes: #144571, #238460
--
my $tmp = "$target.tmp-nest";
(my $t = $target) =~ s!.*/!!;
- mkdir($tmp,0755) || &syserr("unable to create `$tmp'");
+ mkdir($tmp,0700) || &syserr("unable to create `$tmp'");
system "chmod", "g-s", $tmp;
print("$progname: unpacking $tarfile\n");
extracttar("$dscdir/$tarfile",$tmp,$t);
+ system "chown", '-R', '-f', join(':',@fowner), "$tmp/$t";
rename("$tmp/$t",$target)
|| &syserr("unable to rename `$tmp/$t' to `$target'");
rmdir($tmp)
projects / dpkg / commitdiff