Axel.Thimm@xxxxxxxxxx (Axel Thimm) writes: >> This directory is NOT unique and will break if 2 or more users are >> running an rpmbuild in parallel on the same /var/tmp filesystem. > > And everything will break if someone builds for i686 and i586 (e.g. a > kernel or glibc) simultaneously on the same filesystem (as the same > user), which is even worse and probably more common than two non-root > users sharing the same build server and building *exactly* the same > package EVR-wise. ACK; when you build on multi-user systems, you should use a secure %_tmppath instead of trusting into %(id -u). Else, attacker could create between | rm -rf $RPM_BUILD_ROOT | ... | make install --> mkinstalldir $RPM_BUILD_ROOT an $RPM_BUILD_ROOT with e.g. files for symlink attacks (it should be trivial to find the window above with inotify(2)). Therefore, multi-user environments are not an argument pro %(id -u). Enrico -- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
