Security reviews for new packages
Mamoru Tasaka
mtasaka at ioa.s.u-tokyo.ac.jp
Wed Jan 14 16:04:33 UTC 2009
Jason L Tibbitts III wrote, at 11/12/2008 12:51 AM +9:00:
> I do many package reviews, and occasionally I see a package that is
> fine packaging-wise but which I don't feel comfortable approving
> because I know it has security implications. One such package is
> schroot, which has some pam magic to allow users to set up chroots.
> https://bugzilla.redhat.com/show_bug.cgi?id=447368
>
> It's quite possible that I'm simply being overly paranoid, but of
> course I'm not qualified to say one way or the other. Is it possible
> for someone with more knowledge in this area to take a look at the
> package? What would be needed? (Perhaps a scratch build, or are the
> src.rpm and spec sufficient?)
>
> Could we work out a simple procedure for doing this in the future?
>
> - J<
Some days ago my potential sponsornee submitted a review request,
which (according to the explanation) uses chroot() and has some
setuid binaries. I guess I can "basic" reviews also required for
other packages, however for security matters I really applicate
any help from who knows how to deal with securitly issues.
https://bugzilla.redhat.com/show_bug.cgi?id=479546
- Jailkit limits user accounts to specific files and/or commands
Regards,
Mamoru
More information about the Fedora-security-list
mailing list