[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SUID binaries in the repo


please check https://bugzilla.redhat.com/show_bug.cgi?id=334311, Comment #27. After discussion with sec guys here I sent it for the review to our security standards team.

So this change will not be released without review.


Thorsten Leemhuis wrote:
On 26.10.2007 10:44, Martin Stransky (stransky) wrote:
Author: stransky

Martin, please don't take the mail as offense. Your commit just reminded
me of something I wanted to bring up.

Update of /cvs/pkgs/rpms/nspluginwrapper/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21292
Modified Files:
nspluginwrapper.spec Added Files: plugin-config-setuid.patch Log Message:
* Fri Oct 26 2007 Martin Stransky <stransky redhat com>
- mozilla-plugin-config can be run by normal user now


--- NEW FILE plugin-config-setuid.patch ---
--- mozilla/plugin-config-1.6/src/Makefile.in.old	2007-07-24 13:28:56.000000000 +0200
+++ mozilla/plugin-config-1.6/src/Makefile.in	2007-07-24 13:47:24.000000000 +0200
@@ -44,7 +44,7 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 am__installdirs = "$(DESTDIR)$(bindir)"
 am_mozilla_plugin_config_OBJECTS = plugin-config.$(OBJEXT) \
 	plugin-detection.$(OBJEXT) plugin-dir.$(OBJEXT)

We should try to avoid to much bureaucracy, but well, I feel a bit
uncomfortable with to many SUID apps in Fedora. Should we track them
somehow (a script that looks at the repo could likely create such a
list) and review the list now and then?

Or put at least a little hurdle between SUID bits and the Fedora-repo
with a "SUID apps must be reviewed/permitted by FOO" rule or something
like that?

Just wondering.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]