When installing packages with the package UI as root (21.4.6 on RedHat
7.2), the extracted files get their ownerships from the tarballs, which
is not nice. Nowadays the files seem to have 103/100 as their owner.
Some may consider it as a security hole, not?
I did some research but forcing the ownerships to be the installer's
doesn't seem to be a trivial one. Newer GNU tar's have the
--no-same-owner option, some have the --owner option which could be used
together with (user-uid). And then, of course, there's chmod.
OTOH, there should be no suid thingies inside tarballs if we're
extracting as root.
Is there a way around this, maybe something could be done when making
the tarballs?
--
Ville Skyttä
ville.skytta(a)xemacs.org