[opensuse-packaging] How to proceed about permissions-file-setuid-bit
Hi I’m packaging snappy for openSUSE in my home:zyga repository [1]. Snappy is comprised of two parts, snap-confine and snapd. snap-confine contains a setuid executable and rpmlint complains [2]: [ 29s] snap-confine.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib/snap-confine is packaged with setuid/setgid bits (04755) [ 29s] If the package is intended for inclusion in any SUSE product please open a bug [ 29s] report to request review of the program by the security team Where should I report the bug exactly (which product, etc) and is there any template I should use for this? Best regards ZK [1] https://build.opensuse.org/package/show/home:zyga/snap-confine [2] https://build.opensuse.org/package/live_build_log/home:zyga/snap-confine/ope... -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Wed, Jun 22, 2016 at 12:40:03PM +0200, Zygmunt Krynicki wrote:
Hi
I’m packaging snappy for openSUSE in my home:zyga repository [1]. Snappy is comprised of two parts, snap-confine and snapd.
snap-confine contains a setuid executable and rpmlint complains [2]:
[ 29s] snap-confine.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib/snap-confine is packaged with setuid/setgid bits (04755) [ 29s] If the package is intended for inclusion in any SUSE product please open a bug [ 29s] report to request review of the program by the security team
Where should I report the bug exactly (which product, etc) and is there any template I should use for this?
Best regards ZK
[1] https://build.opensuse.org/package/show/home:zyga/snap-confine [2] https://build.opensuse.org/package/live_build_log/home:zyga/snap-confine/ope...
Open a bug against openSUSE Tumbleweed, category Security. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Wed, 22 Jun 2016 12:40, Zygmunt Krynicki wrote:
Hi
I’m packaging snappy for openSUSE in my home:zyga repository [1]. Snappy is comprised of two parts, snap-confine and snapd.
snap-confine contains a setuid executable and rpmlint complains [2]:
[ 29s] snap-confine.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib/snap-confine is packaged with setuid/setgid bits (04755) [ 29s] If the package is intended for inclusion in any SUSE product please open a bug [ 29s] report to request review of the program by the security team
Where should I report the bug exactly (which product, etc) and is there any template I should use for this?
First, Bug, as already said: Against Security. Second: Do the future users / package maintainers a favour, and add a file "/etc/permissisons.d/snappy" which contains the needed settings for "/usr/lib/snap-confine" This allows you to package without setuid-bit, and call "/usr/bin/chkstat --set /etc/permissisons.d/snappy" in the spec-file %install section. Non the less, for inclusion into a "offical devel" or even "release" repo (e.g. tumbleweed/factory) a review by the security team is needed. - Yamaban. PS: If I'm talking sh.t here, please send a correction to the list.
participants (3)
-
Marcus Meissner -
Yamaban -
Zygmunt Krynicki