On Tue, 29 Aug 2000, Ivan Jager wrote:
>> Because I have done so for several years with no problems until
>> last week when I had a "rpm --rebuild" delete several
>> subdirectories on my filesystem during "%clean" stage. RPM
>> should IMHO do anything it does in a chroot()'d jail. Making a
>> user called "rpm" and setting up rpm to build packages as that
>> user, is much safer, ESPECIALLY when constructing and debugging
>> your own packages.
>>
>> So, yes. Security, and safety. _Even_ if you trust the
>> sources. It is easy to make a mistake in a spec file and kiss
>> everything goodbye.
>
>When building as a regular user, how do you get the packages to install
>files owned by root?
Simple, use %defattr()
>When I first started building packages I did it as root, then I found
>out that if I "chown ivanj: -R /usr/src/redhat" I could build as ivanj
>without any problems (AFAIK), until one day someone else installed one
>of my packages. Then I noticed that the files it was installing were
>owned by ivanj. (they didn't have a user ivanj, so it said "ivanj: no
>such user", or something like that) Then I started building as root
>again.
Do _NOT_ set the file permissions and ownership in %install or
any other previous sections. Set ALL permissions and ownership
in the %files section using the %defattr and %attr macros
instead.
This causes the permissions to occur during packaging time, ready
for install time.
Doing it in %install requires root privs and is a bad way to
make spec files.
The only major downside is that in some spec's where you would
do:
%install
make install
And let the make target install all files and possibly set
permissions, etc.. or use the "install" command to install files
and set owner/perms, etc.. You must now manually put your own
install section, or make a diff to the makefile that doesn't set
perms, ownership...
It makes for a more secure build environment though.
>Is this solved in newer versions of rpm, or should I give rpm some other
>parameters? (other than "-bb <package>")
Just use the macros described above.
TTYL
--
Mike A. Harris Linux advocate
Computer Consultant GNU advocate
Capslock Consulting Open Source advocate
Be up to date on nerd news and stuff that matters: http://slashdot.org
_______________________________________________
Redhat-devel-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-devel-list
