[Bug 580857] New: set /usr/bin/sign to 4750 permission
http://bugzilla.novell.com/show_bug.cgi?id=580857 http://bugzilla.novell.com/show_bug.cgi?id=580857#c0 Summary: set /usr/bin/sign to 4750 permission Classification: openSUSE Product: openSUSE.org Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: BuildService AssignedTo: meissner@novell.com ReportedBy: adrian@novell.com QAContact: adrian@novell.com CC: mls@novell.com Found By: --- Blocker: --- To avoid user confusion and that the setup of an OBS breaks signing on each update of obs-signd package, I am going to set the sign executable to 4750 permission. This is basically used to open a port <1024 to ensure that a root process is speaking to the remote sign server. This package will also end up in SLE 11 SP1 SDK. You may want to have a review of the package before, look in "openSUSE:Tools" project in the "obs-signd" package if you want to see it. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=580857
http://bugzilla.novell.com/show_bug.cgi?id=580857#c1
Marcus Meissner
http://bugzilla.novell.com/show_bug.cgi?id=580857
http://bugzilla.novell.com/show_bug.cgi?id=580857#c2
Adrian Schröter
http://bugzilla.novell.com/show_bug.cgi?id=580857
http://bugzilla.novell.com/show_bug.cgi?id=580857#c3
--- Comment #3 from Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=580857
http://bugzilla.novell.com/show_bug.cgi?id=580857#c4
--- Comment #4 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=580857
https://bugzilla.novell.com/show_bug.cgi?id=580857#c5
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=580857
https://bugzilla.novell.com/show_bug.cgi?id=580857#c6
Adrian Schröter
https://bugzilla.novell.com/show_bug.cgi?id=580857
https://bugzilla.novell.com/show_bug.cgi?id=580857#c7
--- Comment #7 from Sebastian Krahmer
From the setuid view its safe, it drops euid and only temporarily re-gains it for low port binds. However wasting a s bit is overkill today, we should prefer the appropriate capability in future.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=580857
https://bugzilla.novell.com/show_bug.cgi?id=580857#c8
Thomas Biege
participants (1)
-
bugzilla_noreply@novell.com