Christian Boltz changed bug 1158538
What Removed Added
Flags   needinfo?(matthias.gerstner@suse.com)

Comment # 3 on bug 1158538 from 
(In reply to Matthias Gerstner from comment #2)
> Yes it looks good. But having to run zypper refresh as root reduces the
> value of this hardening quite a lot. I'm not sure if it is worth the added
> complexity in this case. What do you think?

It would be easy to run xsltproc as non-root, and looking at the amount of CVEs
listed in libxslt-tools, that probably isn't the worst idea. That would mean
(pseudo-patch)

    LANG=C /usr/bin/zypper --xmlout --non-interactive lu $params | \
+     setpriv --reuid nobody \
      xsltproc /usr/share/patch2mail/patch2mail.xsl - > "$tmp"

This willl also need   Requires: user(nobody)

(I never used setpriv, does the syntax look correct?)

The "mail" call could also run as non-root, but the security track of mailx
looks much better than the one from xsltproc ;-)


An alternative way could be to ship an AppArmor profile for patch2mail with Ux
for zypper (because cachedir is configurable and could be != /var/cache/zypp)
and ix for everything else, maybe even Cx to a restrictive child profile for
xsltproc.


With some additional effort (see my pseudocode), it would also be possible to
run zypper lu and sourcing the sysconfig file as non-root, but...

> > One problem / possible regression I see is that errors in "zypper -q
> > refresh" will not end up in the zypper lu output, and therefore won't be
> > visible anymore.
> 
> It would not be part of the zypper lu output, but it should still be part of
> the cron output, no?

As we say in germany: "Jein" ;-)

Currently refresh errors are part of the zypper xml output, and end up in the
mail patch2mail will send out.

If refreshing is done in a separate step, it will probably result in
- a mail from cron showing stderr of the patch2mail cronjob ("refresh failed 
  for $repo")
- a mail from patch2mail showing available updates - without the warning 
  about the refresh failure

Merging both parts into one mail would make things more complicated again.

IMHO sane options are
a) only run xsltproc as nobody
b) add an AppArmor profile

Opinions?

You are receiving this mail because: