Re: [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Alejandro del Castillo <alejandro.delcastillo@ni.com>
To: "Burton, Ross" <ross.burton@intel.com>
Cc: OE-core <openembedded-core@lists.openembedded.org>,
	Vladimir Zapolskiy <vz@mleia.com>
Subject: Re: [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf
Date: Wed, 2 Dec 2015 19:03:59 -0600	[thread overview]
Message-ID: <565F94FF.4070503@ni.com> (raw)
In-Reply-To: <CAJTo0La8P2oCEAfUeEX9w-+qab_wyRZhPM27FZ6QaORDBM92LQ@mail.gmail.com>



On 12/02/2015 05:19 PM, Burton, Ross wrote:
> 
> On 2 December 2015 at 23:16, Alejandro del Castillo
> <alejandro.delcastillo@ni.com <mailto:alejandro.delcastillo@ni.com>> wrote:
> 
>     > Whilst the patch is fine, this is worrying as noexec /tmp shouldn't break opkg.
>     > Maybe opkg should be changed to use something in /var for the scripts?
> 
>     Could you expand on why it's better to use /var instead of /tmp as the default
>     sandbox location for opkg? I believe dpkg uses /var/lib/ and would like to
>     understand why that's better (to change opkg, if it makes sense)
> 
> 
> Well in this case it's fairly common to mount /tmp as noexec on security
> grounds, and to be limited in size (say a small tmpfs), whereas /var generally
> has less restrictions.

I see, common attacks rely on being able to execute commands in /tmp. Do you
mind opening an issue for opkg on bugzilla?

-- 
Cheers,

Alejandro

next prev parent reply	other threads:[~2015-12-03  1:04 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-02  4:48 [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf Vladimir Zapolskiy
2015-12-02  9:48 ` Burton, Ross
2015-12-02 23:16   ` Alejandro del Castillo
2015-12-02 23:19     ` Burton, Ross
2015-12-03  1:03       ` Alejandro del Castillo [this message]
2015-12-03  5:57   ` Vladimir Zapolskiy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=565F94FF.4070503@ni.com \
    --to=alejandro.delcastillo@ni.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=ross.burton@intel.com \
    --cc=vz@mleia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox