[Bug 1114383] chkstat is not always called after Zypper has installed packages
http://bugzilla.suse.com/show_bug.cgi?id=1114383 http://bugzilla.suse.com/show_bug.cgi?id=1114383#c6 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ma@suse.com --- Comment #6 from Matthias Gerstner <matthias.gerstner@suse.com> --- Ah, I missed the bit that the reporter seems to have added custom set*id permissions for kcheckpass via the permissions file. So I got this partly wrong. Entries in /etc/permissions.local actually only work reliably for locally installed files like in /usr/local/... that are not managed by zypper. Or for overriding permissions of files that ship with set*id and thus call %set_permissions and %verify_permissions. There has been a long discussion regarding pam_yubico and gnome / KDE screensavers [1]. It is a difficult topic. There will always be some PAM modules that don't work without root privs. But having a lot of set*id binaries is also not desireable. SuSEconfig was removed in openSUSE 10.3, because it was only invoked by YaST but not by zypper or rpm directly. I don't know of any replacement. Maybe there is a possibility to run a hook script after certain zypper operations? Adding the zypper maintainer, maybe he has got some input on this. @fvogt: Since there seem to be at least some valid use cases to add a custom setuid bit to kcheckpass, you could still add calls to %set_permissions and %verify_permissions to your package, to allow users to override the permissions in a defined away. Otherwise only hacks come to my mind: - adding a system start service or cron job to call 'chkstat' on a regular basis - using a wrapper around 'zypper' to run chkstat after each zypper in/up/dup operation [1]: https://github.com/Yubico/yubico-pam/issues/113 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com