On Tue, 2006-08-22 at 17:10 +0200, Axel Thimm wrote: > On Tue, Aug 22, 2006 at 08:04:16AM -0700, Toshio Kuratomi wrote: > > Here's rpmlint's reasoning: > > 'Absolute symlinks are problematic eg. when working with chroot > > environments.' > > In that sense every symlink is danergerous including relative ones: if > it contains too many ".." you'll end up outside the chroot anyway if > accessed from outside. That supposes that the symlink is referencing something above where the root directory should be. If it happens when the path is the same as where the package is meant to install, then I'd consider it a bug in packaging (ie: if you packaged a symlink, /usr/bin/ifconfig, it shouldn't point to ../../../../../sbin/ifconfig; it should point to ../../sbin/ifconfig). If it happens with the path changed, (You install the previous package with --relocate /usr/bin=/bin) I'm inclined to say that's unsupported behaviour anyway. > If accessed from inside the chroot, absolute > paths are even securer when being root. > More secure? > Chroots (with external access, e.g. not within) aren't used by package > consumers, but package builders and testers. This is incorrect. We often use chroots for building and testing packages here in Fedora but chroots are a much more general purpose tool. I think relative symlinks and chroots are most important with configuration files where an administrator will try to edit the file from outside the chroot. There can be a world of difference between $CHROOT/root/resolv.conf => ../etc/resolv.conf and $CHROOT/root/resolv.conf => /etc/resolv.conf -Toshio
Attachment:
signature.asc
Description: This is a digitally signed message part
-- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging