The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Interesting dpkg issue, plus thoughts...



> 
> Since so many people seem to be interested in this:
> 
> Until version 1.4.0.9, three programs in dpkg-dev used the value of
> &getlogin() to set the ownership of files they created:
> 
>  * dpkg-distaddfile used it to set the ownership of debian/files  
>  * dpkg-gencontrol used it to set the ownership of debian/files  
>  * dpkg-shlibdeps used it to set the ownership of debian/substvars
> 
> They did this so that when they were called from 'sudo ./debian/rules
> binary' (or whatever other root-granting program was being used), they
> would create 'debian/files' and 'debian/substvars' files that were
> likely to be editable by the user running the program. 

Just like to mention here (Warning: add follows) that my "fakeroot"
package would solve this too: dpkg-* can happily chown() the files
to root, and they will *think* the files are indeed owned by root,
but on the filesystem they are still owned by whoevery executed
fakeroot.

The only problem with fakeroot currently is that you need libc6
versions of at least
  dpkg, make, fileutils, tar, bash
for "dpkg-buildpackage -rfakeroot" to work correctly. Fakeroot 
seems pretty stable now: I've yet to encounter a package that does
build with "-rsudo", but doesn't build with "-rfakeroot").

Assuming dpkg_1.4.0.19 is libc6, it isn't very hard to
make such an environment any more (dpkg_1.4.0.{8,17} do
not compile for me, they fail in the debiandoc stuff).

(Fakeroot is an environment that gives "fake" root, by setting
LD_PRELOAD to "libfakeroot" that wraps functions like getuid(),
chown(), stat(), etc).


Fakeroot isn't just fun, it's usefull too, and it enhances system
security!

(end of add -- does this one have enough relevance to Debian
for me not to have to pay the $1000?)

-- 
joost witteveen, joostje@debian.org ** Long live the the Debian way-of-life


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .