Mailinglist Archive: opensuse-factory (528 mails)
| < Previous | Next > |
Re: [opensuse-factory] Permissions and security levels
- From: Marcus Meissner <meissner@xxxxxxx>
- Date: Thu, 3 May 2007 07:36:21 +0200
- Message-id: <20070503053621.GA24978@xxxxxxx>
> > # zypp - allow opensuseupdater to do its job
> > /usr/sbin/zypp-checkpatches-wrapper root:root 4755
> >
> >
> > Regards,
> >
> > Christian Boltz
> what about a default apparmor wrap on opensuse updater?
It calls /usr/sbin/zypp-checkpatches-wrapper, which would need one
and then it will be quiet difficult to confine this setuid root binary.
In general... The reason the zypp-checkpatches-wrapper is setuid root
is mostly for keeping potential privacy information in the configured
repositories ...
Think user/password pairs for FTP servers, or for SLE the deviceid/secret
pairs.
Also for not doing the download twice, but this could be done in a cron
job.
Ciao, Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
> > /usr/sbin/zypp-checkpatches-wrapper root:root 4755
> >
> >
> > Regards,
> >
> > Christian Boltz
> what about a default apparmor wrap on opensuse updater?
It calls /usr/sbin/zypp-checkpatches-wrapper, which would need one
and then it will be quiet difficult to confine this setuid root binary.
In general... The reason the zypp-checkpatches-wrapper is setuid root
is mostly for keeping potential privacy information in the configured
repositories ...
Think user/password pairs for FTP servers, or for SLE the deviceid/secret
pairs.
Also for not doing the download twice, but this could be done in a cron
job.
Ciao, Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
| < Previous | Next > |