Opened 6 months ago
Last modified 6 months ago
#70016 new defect
destroot phase does not confine process to destroot directory
Reported by: | mohd-akram (Mohamed Akram) | Owned by: | |
---|---|---|---|
Priority: | High | Milestone: | |
Component: | base | Version: | 2.9.3 |
Keywords: | Cc: | ||
Port: |
Description
Currently, a portfile can write to anywhere outside the destroot directory in the destroot phase. This is problematic because a port might not have proper support for DESTDIR and might end up polluting directories outside its scope. It's also problematic to have this phase run as root which I imagine is not necessary in 99% of cases, and in cases where it might be necessary (eg. chown, chmod), that should be handled in a declarative manner ideally or at the very minimum be opt-in via destroot.asroot until that option is available.
Note: See
TracTickets for help on using
tickets.
Sandboxing does prevent writing outside the workpath for commands run with
system
, though not for native Tcl commands the Portfile may run.