On Sun, Feb 01, 2009 at 10:04:09PM -0600, Clark Williams wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hrm, this is kind of scary, mock is trying to prevent this action? The weird thing is that an error is reported that the action was not allowed, yet the end result is that the file is indeed copied. So if we're trying to prevent it, we're not doing a good job.
I tried it on my laptop and the copy didn't happen. Not sure what's going on there.
I went back and looked at the commit where I added the copyin/copyout options and the uidManager.dropPrivsForever() has always been there. I'm considering dropping it for --copyin (where we modify the chroot) but not for --copyout (where we modify the actual filesystem).
What do you guys think?
Well, until we come up with a "real" security policy for mock, the above suggestion sounds reasonable. -- Michael
buildsys@lists.fedoraproject.org