R devel - Mar 2006 - Build directory path saved in Meta/hsearch.rds

Hi,
  in Fedora Extras we build R packages to a temporary directory. The
relevant section in
the spec file is this:

%build
cd ..; R CMD INSTALL %{packname} -l %{buildroot}%{_libdir}/R/library

It works. :-)

We noticed one problem though (I will assume working on ix86 here) the
temporary build path is saved in
/usr/lib/R/library/*/Meta/hsearch.rds, i.e. for each package.

To see this is enough to run strings over these file.

Is this a security concern? Does R uses this path in any way?

In case the answer is yes, it is safe to run sed over this file and do
a textual replacement?

Thanks and best regards,
--
Jos? Matos

On 03/03/06, Jos? Matos <jaomatos at gmail.com>
wrote:
> Hi,
>   in Fedora Extras we build R packages to a temporary directory. The
> relevant section in
> the spec file is this:
>
> %build
> cd ..; R CMD INSTALL %{packname} -l %{buildroot}%{_libdir}/R/library
>
> It works. :-)
>
> We noticed one problem though (I will assume working on ix86 here) the
> temporary build path is saved in
> /usr/lib/R/library/*/Meta/hsearch.rds, i.e. for each package.
  Searching a little bit more I see that Peter Daalgard came to the
same conclusion one month ago:
https://stat.ethz.ch/pipermail/r-help/2006-February/086069.html
> To see this is enough to run strings over these file.
>
> Is this a security concern? Does R uses this path in any way?
>
> In case the answer is yes, it is safe to run sed over this file and do
> a textual replacement?
>
> Thanks and best regards,
> --
> Jos? Matos
>
--
Jos? Ab?lio

On Fri, 3 Mar 2006, Jos? Matos wrote:
> On 03/03/06, Jos? Matos <jaomatos at gmail.com> wrote:
>> Hi,
>>   in Fedora Extras we build R packages to a temporary directory. The
>> relevant section in
>> the spec file is this:
>>
>> %build
>> cd ..; R CMD INSTALL %{packname} -l %{buildroot}%{_libdir}/R/library
>>
>> It works. :-)
>>
>> We noticed one problem though (I will assume working on ix86 here) the
>> temporary build path is saved in
>> /usr/lib/R/library/*/Meta/hsearch.rds, i.e. for each package.
>
>  Searching a little bit more I see that Peter Daalgard came to the
> same conclusion one month ago:
> https://stat.ethz.ch/pipermail/r-help/2006-February/086069.html
Yes, and his conclusion holds as well.

Please explain what the problem is.  The first element of the object saved 
in hsearch.rds is a data frame with a column LibPath.  This is not used
by help.search() after installation.
>> To see this is enough to run strings over these file.
>>
>> Is this a security concern?
Why should there be any security issues about a non-existent path?
>> Does R uses this path in any way?
Peter was referring to packages installed with R.  If they were used, no 
binary installation of R would work, so I presume they are not used.
>> In case the answer is yes, it is safe to run sed over this file and do
>> a textual replacement?
Not safe: the string lengths are encoded in the file.
>>
>> Thanks and best regards,
>> --
>> Jos? Matos
>>
>
> --
> Jos? Ab?lio
>
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>
>
-- 
Brian D. Ripley,                  ripley at stats.ox.ac.uk
Professor of Applied Statistics,  http://www.stats.ox.ac.uk/~ripley/
University of Oxford,             Tel:  +44 1865 272861 (self)
1 South Parks Road,                     +44 1865 272866 (PA)
Oxford OX1 3TG, UK                Fax:  +44 1865 272595