Axel.Thimm(a)ATrpms.net (Axel Thimm) writes:
> This directory is NOT unique and will break if 2 or more users
are
> running an rpmbuild in parallel on the same /var/tmp filesystem.
And everything will break if someone builds for i686 and i586 (e.g. a
kernel or glibc) simultaneously on the same filesystem (as the same
user), which is even worse and probably more common than two non-root
users sharing the same build server and building *exactly* the same
package EVR-wise.
ACK; when you build on multi-user systems, you should use a secure
%_tmppath instead of trusting into %(id -u). Else, attacker could create
between
| rm -rf $RPM_BUILD_ROOT
| ...
| make install --> mkinstalldir $RPM_BUILD_ROOT
an $RPM_BUILD_ROOT with e.g. files for symlink attacks (it should be
trivial to find the window above with inotify(2)).
Therefore, multi-user environments are not an argument pro %(id -u).
Enrico