SUID binaries in the repo

Martin Stransky stransky at redhat.com
Fri Oct 26 09:50:34 UTC 2007


Hello,

please check https://bugzilla.redhat.com/show_bug.cgi?id=334311, Comment 
#27. After discussion with sec guys here I sent it for the review to our 
security standards team.

So this change will not be released without review.

Regards,
martin

Thorsten Leemhuis wrote:
> On 26.10.2007 10:44, Martin Stransky (stransky) wrote:
>> Author: stransky
> 
> Martin, please don't take the mail as offense. Your commit just reminded
> me of something I wanted to bring up.
> 
>> Update of /cvs/pkgs/rpms/nspluginwrapper/F-8
>> In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21292
>> Modified Files:
>> 	nspluginwrapper.spec 
>> Added Files:
>> 	plugin-config-setuid.patch 
>> Log Message:
>> * Fri Oct 26 2007 Martin Stransky <stransky at redhat.com> 0.9.91.5-10
>> - mozilla-plugin-config can be run by normal user now
>>
>> plugin-config-setuid.patch:
>>
>> --- NEW FILE plugin-config-setuid.patch ---
>> --- mozilla/plugin-config-1.6/src/Makefile.in.old	2007-07-24 13:28:56.000000000 +0200
>> +++ mozilla/plugin-config-1.6/src/Makefile.in	2007-07-24 13:47:24.000000000 +0200
>> @@ -44,7 +44,7 @@ mkinstalldirs = $(install_sh) -d
>>  CONFIG_HEADER = $(top_builddir)/config.h
>>  CONFIG_CLEAN_FILES =
>>  am__installdirs = "$(DESTDIR)$(bindir)"
>> -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
>> +binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -m 4755
>>  PROGRAMS = $(bin_PROGRAMS)
>>  am_mozilla_plugin_config_OBJECTS = plugin-config.$(OBJEXT) \
>>  	plugin-detection.$(OBJEXT) plugin-dir.$(OBJEXT)
> 
> We should try to avoid to much bureaucracy, but well, I feel a bit
> uncomfortable with to many SUID apps in Fedora. Should we track them
> somehow (a script that looks at the repo could likely create such a
> list) and review the list now and then?
> 
> Or put at least a little hurdle between SUID bits and the Fedora-repo
> with a "SUID apps must be reviewed/permitted by FOO" rule or something
> like that?
> 
> Just wondering.
> 
> CU
> knurd
> 




More information about the fedora-devel-list mailing list