[Bug 1201385] AUDIT-0: postfix: review of permissions-file-setuid-bit: /usr/sbin/postlog (02755)
http://bugzilla.opensuse.org/show_bug.cgi?id=1201385 http://bugzilla.opensuse.org/show_bug.cgi?id=1201385#c21 Christian Wittmer <chris@computersalat.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(dimstar@opensuse. | |org) --- Comment #21 from Christian Wittmer <chris@computersalat.de> --- (In reply to Dominique Leuenberger from comment #17)
@Christian,
The build of postfix currently fails with:
[ 132s] -------------------------------------------------------------------- [ 132s] ERROR: chkstat --level secure modified package postfix [ 132s] Please add '%verify(not mode,...) for those to avoid listings in rpm -V. [ 132s] diff for both runs of rpm -V: [ 132s] --- //.build_rpmVp_orig 2022-08-01 13:44:14.812000000 +0000 [ 132s] +++ //.build_rpmVp_easy 2022-08-01 13:44:14.876000000 +0000 [ 132s] @@ -0,0 +1 @@ [ 132s] +.M....G.. /usr/sbin/postlog [ 132s] -------------------------------------------------------------------- [ 132s] -------------------------------------------------------------------- [ 132s] ERROR: chkstat --level paranoid modified package postfix [ 132s] Please add '%verify(not mode,...) for those to avoid listings in rpm -V. [ 132s] diff for both runs of rpm -V: [ 132s] --- //.build_rpmVp_orig 2022-08-01 13:44:14.812000000 +0000 [ 132s] +++ //.build_rpmVp_paranoid 2022-08-01 13:44:14.932000000 +0000 [ 132s] @@ -0,0 +1 @@ [ 132s] +.M....G.. /usr/sbin/postlog [ 132s] --------------------------------------------------------------------
And, indeed, /usr/sbin/postlog is not listed in the set_permissions and verify_permissions scripts sections of postfix.spec, also the files section does not correspond to this:
i.e %post contains:
%set_permissions %{_sbindir}/postqueue %set_permissions %{_sbindir}/postdrop %set_permissions %{_sysconfdir}/%{name}/sasl_passwd %set_permissions %{_sbindir}/sendmail
(missing /usr/sbin/postlog)
%verifyscript is: %verify_permissions -e %{_sbindir}/postqueue %verify_permissions -e %{_sbindir}/postdrop %verify_permissions -e %{_sysconfdir}/%{name}/sasl_passwd %verify_permissions -e %{_sbindir}/sendmail (again, missing postlog)
and files section is %attr(0755,root,root) %{_sbindir}/postlog
lacking verify (not mode, group) as the mode is adjusted by the permissions profile to 2755 and group changes to maildrop
group is actually debatable why it should not be packaged as :maildrop' directly, as all security profiles (easy,secure, paranoid) set that group (rule is to set the rpm metadata to match the paranoid setting, i.e. 32+/usr/sbin/postlog root:maildrop 0755
Hope that helps
@dimstar those above mentioned missings are needed with the new 3.7.x version which is prepared here already: https://build.opensuse.org/package/rdiff/home:computersalat:devel:mail/postfix?opackage=postfix&oproject=server%3Amail&rev=59 So when the permissions package is updated and available for 15.3 and 15.4 (as it seems to be with comment #19 and #20) the SR here: https://build.opensuse.org/request/show/989467 can be accepted ... if you agree. Thank you :-) -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com