He's not dead, he's resting

New Gentoo EAPI Things: Secure Working Directories

This is the third post in a series about new Gentoo EAPI things.

Consider an ebuild that does something like this:

pkg_setup() {
    python -m foo -c bar

Here, python will first look in the current working directory for the foo module. If the superuser calling the package manager is doing so from a directory writeable by a malicious user, that user can create a in that directory that does something naughty, and it will be executed with the privileges of the superuser.

Historically, it has been the ebuild’s responsibility to work around this kind of behaviour. This is tricky, however, and most ebuilds have never bothered — most developers aren’t aware of this kind of attack, and may not even realise that their code eventually calls some program that has this behaviour (Python isn’t the only culprit). Thus, it was decided in Gentoo bug 239560 to make it the package manager’s responsibility to ensure a trusted working directory for any ebuild calls.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s