SUID binaries in the repo
Thorsten Leemhuis
fedora at leemhuis.info
Fri Oct 26 10:09:46 UTC 2007
On 26.10.2007 11:50, Martin Stransky wrote:
>
> please check https://bugzilla.redhat.com/show_bug.cgi?id=334311, Comment
> #27. After discussion with sec guys here I sent it for the review to our
> security standards team.
> So this change will not be released without review.
As I said, I didn't care about this particular package or commit. It
seems you did all that is needed before shipping nspluginwrapper as SUID.
But we have other packages (I had two and still have one) that entered
the repo with SUID binaries that were never reviewed by anyone. Do we
care? Do we trust packagers (¹) enough to decide?
Just wondering.
CU
Thorsten "package monkey" Leemhuis ;-)
(¹) -- some of them not even know the programming language properly the
stuff they package is written in
> Thorsten Leemhuis wrote:
>> On 26.10.2007 10:44, Martin Stransky (stransky) wrote:
>>> Author: stransky
>> Martin, please don't take the mail as offense. Your commit just reminded
>> me of something I wanted to bring up.
>>
>>> Update of /cvs/pkgs/rpms/nspluginwrapper/F-8
>>> In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21292
>>> Modified Files:
>>> nspluginwrapper.spec
>>> Added Files:
>>> plugin-config-setuid.patch
>>> Log Message:
>>> * Fri Oct 26 2007 Martin Stransky <stransky at redhat.com> 0.9.91.5-10
>>> - mozilla-plugin-config can be run by normal user now
>>>
>>> plugin-config-setuid.patch:
>>>
>>> --- NEW FILE plugin-config-setuid.patch ---
>>> --- mozilla/plugin-config-1.6/src/Makefile.in.old 2007-07-24 13:28:56.000000000 +0200
>>> +++ mozilla/plugin-config-1.6/src/Makefile.in 2007-07-24 13:47:24.000000000 +0200
>>> @@ -44,7 +44,7 @@ mkinstalldirs = $(install_sh) -d
>>> CONFIG_HEADER = $(top_builddir)/config.h
>>> CONFIG_CLEAN_FILES =
>>> am__installdirs = "$(DESTDIR)$(bindir)"
>>> -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
>>> +binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -m 4755
>>> PROGRAMS = $(bin_PROGRAMS)
>>> am_mozilla_plugin_config_OBJECTS = plugin-config.$(OBJEXT) \
>>> plugin-detection.$(OBJEXT) plugin-dir.$(OBJEXT)
>> We should try to avoid to much bureaucracy, but well, I feel a bit
>> uncomfortable with to many SUID apps in Fedora. Should we track them
>> somehow (a script that looks at the repo could likely create such a
>> list) and review the list now and then?
>>
>> Or put at least a little hurdle between SUID bits and the Fedora-repo
>> with a "SUID apps must be reviewed/permitted by FOO" rule or something
>> like that?
>>
>> Just wondering.
>>
>> CU
>> knurd
>>
>
More information about the fedora-devel-list
mailing list