[Bug 1150366] New: AUDIT-1: ceph-common: review of setgid directory /var/log/ceph
http://bugzilla.suse.com/show_bug.cgi?id=1150366 Bug ID: 1150366 Summary: AUDIT-1: ceph-common: review of setgid directory /var/log/ceph Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: matthias.gerstner@suse.com QA Contact: qa-bugs@suse.de CC: jsegitz@suse.com, malte.kraus@suse.com, matthias.gerstner@suse.com, ncutler@suse.com Blocks: 1150189 Found By: --- Blocker: --- +++ This bug was initially created as a clone of Bug #1150189 Like discussed in the proactive security team we want to catch up with packages installing set*id items that haven't been whitelisted yet in the permissions package. Formerly this rpmlint check type didn't cause badness and therefore didn't require packagers to actually have them reviewed. ceph-common is one of the packages installing a setgid directory that isn't currently whitelisted: /var/log/ceph drwxrws--T from ceph-common-14.2.2.354+g8878cf2360-1.1.x86_64.rpm The secure use of this directory needs to be reviewed and if all is good a whitelisting entry in all our permission profiles must be added. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150366
Malte Kraus
http://bugzilla.suse.com/show_bug.cgi?id=1150366
http://bugzilla.suse.com/show_bug.cgi?id=1150366#c1
Nathan Cutler
http://bugzilla.suse.com/show_bug.cgi?id=1150366
Dominique Leuenberger
http://bugzilla.suse.com/show_bug.cgi?id=1150366
http://bugzilla.suse.com/show_bug.cgi?id=1150366#c2
--- Comment #2 from Dominique Leuenberger
Ping - this is (apparently) blocking Ceph submissions to openSUSE:Factory.
FTR: https://build.opensuse.org/request/show/779354 received an auto-security review request (presumably for the rpmlintrc entry) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150366
http://bugzilla.suse.com/show_bug.cgi?id=1150366#c3
Malte Kraus
http://bugzilla.suse.com/show_bug.cgi?id=1150366
http://bugzilla.suse.com/show_bug.cgi?id=1150366#c4
--- Comment #4 from Nathan Cutler
Well, some life signs in bsc#1163170 would be good.
OK, I just updated bsc#1163170
I suppose I can expedite the whitelisting though, since the current state is in a bunch of products anyway.
It seems to me that: (1) the possible security issue described in bsc#1163170 has been there for a long time and it's not really clear that it's exploitable (2) it would make sense to whitelist now, so as not to block downstream Ceph development while the security implications of bsc#1163170 are being hashed out. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150366
http://bugzilla.suse.com/show_bug.cgi?id=1150366#c5
--- Comment #5 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1150366
http://bugzilla.suse.com/show_bug.cgi?id=1150366#c7
Nathan Cutler
https://bugzilla.suse.com/show_bug.cgi?id=1150366
https://bugzilla.suse.com/show_bug.cgi?id=1150366#c10
--- Comment #10 from Swamp Workflow Management
participants (2)
-
bugzilla_noreply@novell.com
-
bugzilla_noreply@suse.com