Head Up: Prepare for dropping fuse group in the nearest future

Matt Domsch Matt_Domsch at dell.com
Fri Feb 8 06:27:57 UTC 2008


On Tue, Feb 05, 2008 at 11:35:55PM +0100, Karel Zak wrote:
> On Tue, Feb 05, 2008 at 06:05:59PM +0100, Thorsten Leemhuis wrote:
> > Actually I'm wondering if we need some guidelines or other bureaucracy
> > hurdles to prevent that packagers use suid binaries without need.
> > Preferred: Maybe just a script could do the trick if it checks what
> > packages use suid binaries; somebody once every few weeks could run it
> > and check if there are new packages with suid binaries. If there are:
> > check them if it makes sense to ship them like that.
> 
>  That's why I think that our "Package Review Process" is an imperfect
>  process. We have barriers for new incoming packages, but there is
>  absolute freedom for old packages. IMHO there should be a simplified
>  review process before every Fedora release.
> 
>  (Of course it's not about suid binaries only.)

rpmlint reports on suid binaries.  I happen to generate rpmlint logs
for every successfully built RPM in my rebuild process.  Perhaps we
need something similar to happen in koji.


$ egrep -r set[gu]id */result/rpmlint.log
amanda-2.5.2p1-9.fc9.src.rpm/result/rpmlint.log:amanda-client.x86_64: E: setuid-binary /usr/lib64/amanda/killpgrp root 04750
amanda-2.5.2p1-9.fc9.src.rpm/result/rpmlint.log:amanda-client.x86_64: E: setuid-binary /usr/lib64/amanda/rundump root 04750
amanda-2.5.2p1-9.fc9.src.rpm/result/rpmlint.log:amanda-client.x86_64: E: setuid-binary /usr/lib64/amanda/runtar root 04750
amanda-2.5.2p1-9.fc9.src.rpm/result/rpmlint.log:amanda-client.x86_64: E: setuid-binary /usr/lib64/amanda/calcsize root 04750
amanda-2.5.2p1-9.fc9.src.rpm/result/rpmlint.log:amanda-server.x86_64: E: setuid-binary /usr/lib64/amanda/dumper root 04750
amanda-2.5.2p1-9.fc9.src.rpm/result/rpmlint.log:amanda-server.x86_64: E: setuid-binary /usr/lib64/amanda/planner root 04750
amanda-2.5.2p1-9.fc9.src.rpm/result/rpmlint.log:amanda-server.x86_64: E: setuid-binary /usr/sbin/amcheck root 04750
at-3.1.10-20.fc9.src.rpm/result/rpmlint.log:at.x86_64: E: setuid-binary /usr/bin/at root 04755
BackupPC-3.1.0-1.fc9.src.rpm/result/rpmlint.log:BackupPC.noarch: E: setuid-binary /usr/share/BackupPC/sbin/BackupPC_Admin backuppc 04750
bsd-games-2.17-22.fc9.src.rpm/result/rpmlint.log:bsd-games.x86_64: E: setgid-binary /usr/bin/phantasia gamephant 02755
bsd-games-2.17-22.fc9.src.rpm/result/rpmlint.log:bsd-games.x86_64: E: setgid-binary /usr/bin/sail gamesail 02755
bsd-games-2.17-22.fc9.src.rpm/result/rpmlint.log:bsd-games.x86_64: E: setgid-binary /usr/bin/hack gamehack 02755
compat-erlang-R10B-11.9.fc9.src.rpm/result/rpmlint.log:compat-erlang.x86_64: W: devel-file-in-non-devel-package /usr/lib64/erlang-R10B/erts-5.4.13/src/setuid_socket_wrap.c
cronie-1.0-2.fc9.src.rpm/result/rpmlint.log:cronie.x86_64: E: setuid-binary /usr/bin/crontab root 06755
cronie-1.0-2.fc9.src.rpm/result/rpmlint.log:cronie.x86_64: E: setgid-binary /usr/bin/crontab root 06755
fcron-3.0.3-3.fc8.src.rpm/result/rpmlint.log:fcron.x86_64: E: setuid-binary /usr/bin/fcrontab fcron 06755
fcron-3.0.3-3.fc8.src.rpm/result/rpmlint.log:fcron.x86_64: E: setgid-binary /usr/bin/fcrontab fcron 06755
fcron-3.0.3-3.fc8.src.rpm/result/rpmlint.log:fcron.x86_64: E: setuid-binary /usr/bin/fcronsighup root 04754
KoboDeluxe-0.5.1-1.fc9.src.rpm/result/rpmlint.log:KoboDeluxe.x86_64: E: setgid-binary /usr/bin/kobodl kobodl 02755
PolicyKit-0.7-5.fc9.src.rpm/result/rpmlint.log:PolicyKit.x86_64: E: setgid-binary /usr/libexec/polkit-revoke-helper polkituser 02755
PolicyKit-0.7-5.fc9.src.rpm/result/rpmlint.log:PolicyKit.x86_64: E: setgid-binary /usr/libexec/polkit-read-auth-helper polkituser 02755
PolicyKit-0.7-5.fc9.src.rpm/result/rpmlint.log:PolicyKit.x86_64: E: setgid-binary /usr/libexec/polkit-explicit-grant-helper polkituser 02755
PolicyKit-0.7-5.fc9.src.rpm/result/rpmlint.log:PolicyKit.x86_64: E: setuid-binary /usr/libexec/polkit-grant-helper-pam root 04750
PolicyKit-0.7-5.fc9.src.rpm/result/rpmlint.log:PolicyKit.x86_64: E: setgid-binary /usr/libexec/polkit-grant-helper polkituser 02755
PolicyKit-0.7-5.fc9.src.rpm/result/rpmlint.log:PolicyKit.x86_64: E: setgid-binary /usr/libexec/polkit-set-default-helper polkituser 02755


-Matt

-- 
Matt Domsch
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux




More information about the fedora-devel-list mailing list