[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SUID binaries in the repo



On 26.10.2007 11:50, Martin Stransky wrote:
>
> please check https://bugzilla.redhat.com/show_bug.cgi?id=334311, Comment 
> #27. After discussion with sec guys here I sent it for the review to our 
> security standards team.
> So this change will not be released without review.

As I said, I didn't care about this particular package or commit. It
seems you did all that is needed before shipping nspluginwrapper as SUID.

But we have other packages (I had two and still have one) that entered
the repo with SUID binaries that were never reviewed by anyone. Do we
care? Do we trust packagers (¹) enough to decide?

Just wondering.

CU
Thorsten "package monkey" Leemhuis ;-)

(¹) -- some of them not even know the programming language properly the
stuff they package is written in

> Thorsten Leemhuis wrote:
>> On 26.10.2007 10:44, Martin Stransky (stransky) wrote:
>>> Author: stransky
>> Martin, please don't take the mail as offense. Your commit just reminded
>> me of something I wanted to bring up.
>>
>>> Update of /cvs/pkgs/rpms/nspluginwrapper/F-8
>>> In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21292
>>> Modified Files:
>>> 	nspluginwrapper.spec 
>>> Added Files:
>>> 	plugin-config-setuid.patch 
>>> Log Message:
>>> * Fri Oct 26 2007 Martin Stransky <stransky redhat com> 0.9.91.5-10
>>> - mozilla-plugin-config can be run by normal user now
>>>
>>> plugin-config-setuid.patch:
>>>
>>> --- NEW FILE plugin-config-setuid.patch ---
>>> --- mozilla/plugin-config-1.6/src/Makefile.in.old	2007-07-24 13:28:56.000000000 +0200
>>> +++ mozilla/plugin-config-1.6/src/Makefile.in	2007-07-24 13:47:24.000000000 +0200
>>> @@ -44,7 +44,7 @@ mkinstalldirs = $(install_sh) -d
>>>  CONFIG_HEADER = $(top_builddir)/config.h
>>>  CONFIG_CLEAN_FILES =
>>>  am__installdirs = "$(DESTDIR)$(bindir)"
>>> -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
>>> +binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -m 4755
>>>  PROGRAMS = $(bin_PROGRAMS)
>>>  am_mozilla_plugin_config_OBJECTS = plugin-config.$(OBJEXT) \
>>>  	plugin-detection.$(OBJEXT) plugin-dir.$(OBJEXT)
>> We should try to avoid to much bureaucracy, but well, I feel a bit
>> uncomfortable with to many SUID apps in Fedora. Should we track them
>> somehow (a script that looks at the repo could likely create such a
>> list) and review the list now and then?
>>
>> Or put at least a little hurdle between SUID bits and the Fedora-repo
>> with a "SUID apps must be reviewed/permitted by FOO" rule or something
>> like that?
>>
>> Just wondering.
>>
>> CU
>> knurd
>>
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]