RPM Community Forums

Mailing List Message of <rpm-users>

Re: How not to use rpm owner/group info on unpack?

From: Marc MERLIN <marc_rpm@merlins.org>
Date: Tue 09 Nov 2010 - 07:07:16 CET
Message-ID: <20101109060716.GP22622@merlins.org>
On Tue, Nov 09, 2010 at 12:11:57AM -0500, Jeff Johnson wrote:
> The likely flaw you've experienced is in cpio,
> which for POSIX cpio reasons, chooses to change permissions
> to 700 on directories when run as root.
That's a different problem which I can handle (pax does that better),
but cpio can recover users and groups from an archive.

> rpm2cpio is most definitely doing nothing other than
> seeking to the beginning of the payload, and uncompressing
> everything to EOF. The result is a cpio ball written to stdout.
> There is no way to "unpack" without "installing" in rpm. The
> two operations are largely identical for a "package manager"

I was looking for
ar p file.deb data.tar.gz | tar xf -

But if rpm doesn't have a way to do this without having a tree with an
rpmdb, I'll work around it.

On Mon, Nov 08, 2010 at 11:28:44PM -0500, Jeff Johnson wrote:
> > It's a problem if the package cannot be opened along with proper perms with
> > any standard tool, including rpm2cpio which is part of rpm, is it not? :)
> > (as far as I can tell, it's rpm2cpio that is losing the file owner info, not
> > cpio, so that made it an rpm problem for me).
> rpm2cpio.c was one (of several) programs written
> to illustrate how to program against an rpm-2.x API
> that went obsolete in rpm-3.0. In 1999.
I see.

> No rpm2cpio splits the cpio payload out of a package. Period.
So the user and group info is really in the cpio that rpm2cpio spits out,
but somehow gets lost when cpio unpacks it? Very weird...

> If you want to verify what cpio -itv would display against package metadata,
> it is very close (identical at one point, but cpio output changes too), then
> 	rpm -qlvp foo*.rpm
Ah, that's very useful, I didn't know the -v in that incantation, thanks.
> > What if you need to validate an rpm on a server which certainly should not
> > install said rpm before it's pushed to a bunch of machines?
> > 
> What is validate? There's file MD5 sums, there's signatures/digest/crc's on *.rpm,
> there's installs into a chroot, or on a test machine, or any number of other meanings
> for "validate".

In that context, validate could mean that the sendmail.rpm I just received
does have /etc/mail owned by user mail and not root, _before_ I install it
on some random machine (can be used by an upload trigger to reject the
package for instance). 
rpm -qlvp will help there, thanks for that.

> > I'll look at the solution you posted, it looks pretty involved :)
> A script that containing chown/chgrp to set user/group on uglix, exactly what you asked for,
> is "involved"?
compared to
ar p file.deb data.tar.gz | tar xf -                                                                     

But I think I'm all set now, thanks for answering my questions.

"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/  
Received on Tue Nov 9 07:07:33 2010
Driven by Jeff Johnson and the RPM project team.
Hosted by OpenPKG and Ralf S. Engelschall.
Powered by FreeBSD and OpenPKG.