Hi, in Fedora Extras we build R packages to a temporary directory. The relevant section in the spec file is this: %build cd ..; R CMD INSTALL %{packname} -l %{buildroot}%{_libdir}/R/library It works. :-) We noticed one problem though (I will assume working on ix86 here) the temporary build path is saved in /usr/lib/R/library/*/Meta/hsearch.rds, i.e. for each package. To see this is enough to run strings over these file. Is this a security concern? Does R uses this path in any way? In case the answer is yes, it is safe to run sed over this file and do a textual replacement? Thanks and best regards, -- Jos? Matos
On 03/03/06, Jos? Matos <jaomatos at gmail.com> wrote:> Hi, > in Fedora Extras we build R packages to a temporary directory. The > relevant section in > the spec file is this: > > %build > cd ..; R CMD INSTALL %{packname} -l %{buildroot}%{_libdir}/R/library > > It works. :-) > > We noticed one problem though (I will assume working on ix86 here) the > temporary build path is saved in > /usr/lib/R/library/*/Meta/hsearch.rds, i.e. for each package.Searching a little bit more I see that Peter Daalgard came to the same conclusion one month ago: https://stat.ethz.ch/pipermail/r-help/2006-February/086069.html> To see this is enough to run strings over these file. > > Is this a security concern? Does R uses this path in any way? > > In case the answer is yes, it is safe to run sed over this file and do > a textual replacement? > > Thanks and best regards, > -- > Jos? Matos >-- Jos? Ab?lio
Prof Brian Ripley
2006-Mar-04 08:07 UTC
[Rd] Build directory path saved in Meta/hsearch.rds
On Fri, 3 Mar 2006, Jos? Matos wrote:> On 03/03/06, Jos? Matos <jaomatos at gmail.com> wrote: >> Hi, >> in Fedora Extras we build R packages to a temporary directory. The >> relevant section in >> the spec file is this: >> >> %build >> cd ..; R CMD INSTALL %{packname} -l %{buildroot}%{_libdir}/R/library >> >> It works. :-) >> >> We noticed one problem though (I will assume working on ix86 here) the >> temporary build path is saved in >> /usr/lib/R/library/*/Meta/hsearch.rds, i.e. for each package. > > Searching a little bit more I see that Peter Daalgard came to the > same conclusion one month ago: > https://stat.ethz.ch/pipermail/r-help/2006-February/086069.htmlYes, and his conclusion holds as well. Please explain what the problem is. The first element of the object saved in hsearch.rds is a data frame with a column LibPath. This is not used by help.search() after installation.>> To see this is enough to run strings over these file. >> >> Is this a security concern?Why should there be any security issues about a non-existent path?>> Does R uses this path in any way?Peter was referring to packages installed with R. If they were used, no binary installation of R would work, so I presume they are not used.>> In case the answer is yes, it is safe to run sed over this file and do >> a textual replacement?Not safe: the string lengths are encoded in the file.>> >> Thanks and best regards, >> -- >> Jos? Matos >> > > -- > Jos? Ab?lio > > ______________________________________________ > R-devel at r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel > >-- Brian D. Ripley, ripley at stats.ox.ac.uk Professor of Applied Statistics, http://www.stats.ox.ac.uk/~ripley/ University of Oxford, Tel: +44 1865 272861 (self) 1 South Parks Road, +44 1865 272866 (PA) Oxford OX1 3TG, UK Fax: +44 1865 272595