SUID binaries in the repo (was: Re: rpms/nspluginwrapper/F-8 plugin-config-setuid.patch, NONE, 1.1 nspluginwrapper.spec, 1.25, 1.26)

[Thorsten Leemhuis]

On 26.10.2007 10:44, Martin Stransky (stransky) wrote:
> Author: stransky

Martin, please don't take the mail as offense. Your commit just reminded
me of something I wanted to bring up.

> Update of /cvs/pkgs/rpms/nspluginwrapper/F-8
> In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21292
> Modified Files:
> 	nspluginwrapper.spec 
> Added Files:
> 	plugin-config-setuid.patch 
> Log Message:
> * Fri Oct 26 2007 Martin Stransky <stransky at redhat.com> 0.9.91.5-10
> - mozilla-plugin-config can be run by normal user now
> 
> plugin-config-setuid.patch:
> 
> --- NEW FILE plugin-config-setuid.patch ---
> --- mozilla/plugin-config-1.6/src/Makefile.in.old	2007-07-24 13:28:56.000000000 +0200
> +++ mozilla/plugin-config-1.6/src/Makefile.in	2007-07-24 13:47:24.000000000 +0200
> @@ -44,7 +44,7 @@ mkinstalldirs = $(install_sh) -d
>  CONFIG_HEADER = $(top_builddir)/config.h
>  CONFIG_CLEAN_FILES =
>  am__installdirs = "$(DESTDIR)$(bindir)"
> -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
> +binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -m 4755
>  PROGRAMS = $(bin_PROGRAMS)
>  am_mozilla_plugin_config_OBJECTS = plugin-config.$(OBJEXT) \
>  	plugin-detection.$(OBJEXT) plugin-dir.$(OBJEXT)

We should try to avoid to much bureaucracy, but well, I feel a bit
uncomfortable with to many SUID apps in Fedora. Should we track them
somehow (a script that looks at the repo could likely create such a
list) and review the list now and then?

Or put at least a little hurdle between SUID bits and the Fedora-repo
with a "SUID apps must be reviewed/permitted by FOO" rule or something
like that?

Just wondering.

CU
knurd