[Bug 1171164] New: permission handling: %_libexecdir changes from /usr/lib to /usr/libexec
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 Bug ID: 1171164 Summary: permission handling: %_libexecdir changes from /usr/lib to /usr/libexec Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: dimstar@opensuse.org QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- In accordance to FHS-3.0, libexecdir is being changed from /usr/lib to /usr/libexec. The permission definitiions lists files in /usr/lib, which are now moving, e.g: the dbus-1 package now fails with: [ 277s] dbus-1.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/libexec/dbus-1/dbus-daemon-launch-helper is packaged with setuid/setgid bits (04750) [ 277s] If the package is intended for inclusion in any SUSE product [ 277s] please open a bug report to request review of the program by the [ 277s] security team. Please refer to [ 277s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 277s] more information. The file used to be /usr/lib/dbus-1/dbus-daemon-launch-helper (on 32bit and 64 bit systems) We need to list those /usr/lib/* things also as /usr/libexec (for a migration time probably in parallel, to not dead-lock future changes) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |malte.kraus@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c6 Callum Farmer <callumjfarmer13@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |callumjfarmer13@gmail.com Resolution|FIXED |--- --- Comment #6 from Callum Farmer <callumjfarmer13@gmail.com> --- Doesn't look like it has been fixed. Still broken. https://build.opensuse.org/package/live_build_log/openSUSE:Factory:Staging:A... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c7 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |FIXED --- Comment #7 from Dominique Leuenberger <dimstar@opensuse.org> --- (In reply to Callum Farmer from comment #6)
Doesn't look like it has been fixed. Still broken.
https://build.opensuse.org/package/live_build_log/openSUSE:Factory:Staging:A... dbus-1/standard/i586
:A has sufficient other issues that I did not invest in rebootstrapping it with the fixed permissoins file, notably rpmlint-mini is still unresolvable in :A - and that's the one needed to be resolved to get the udev fix in place. So far, all 'normal' -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c8 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |--- --- Comment #8 from Dominique Leuenberger <dimstar@opensuse.org> --- (In reply to Dominique Leuenberger from comment #7)
(In reply to Callum Farmer from comment #6)
Doesn't look like it has been fixed. Still broken.
https://build.opensuse.org/package/live_build_log/openSUSE:Factory:Staging:A... dbus-1/standard/i586
:A has sufficient other issues that I did not invest in rebootstrapping it with the fixed permissoins file, notably rpmlint-mini is still unresolvable in :A - and that's the one needed to be resolved to get the udev fix in place.
grep dbus-daemon-launch-helper *
Actually, Callum is right here - the dbus-daemon-launch-helper is not authorized even in git/master of permissions for /usr/libexec (so even a rebootstrap would not have helped) permissions.easy:/usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 permissions.paranoid:/usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 0750 permissions.secure:/usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c9 --- Comment #9 from Callum Farmer <callumjfarmer13@gmail.com> --- https://github.com/openSUSE/permissions/pull/85 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c14 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com --- Comment #14 from Dr. Werner Fink <werner@suse.com> --- libutempter used by e.g. xterm /usr/lib64/libutempter.so.0 /usr/lib64/libutempter.so.1.2.0 /usr/libexec/utempter /usr/libexec/utempter/utempter strace -f -o log xterm shows grep utempter/utempter log 4615 execve("/usr/lib/utempter/utempter", ["/usr/lib/utempter/utempter", "add", ":3"], 0x7ffd9e696598 /* 112 vars */) = -1 ENOENT (No such file or directory) suppose to use a utempter macro here .. or an autodetection at build time -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c22 --- Comment #22 from Callum Farmer <callumjfarmer13@gmail.com> --- (In reply to Matthias Gerstner from comment #16)
I cleaned up the permissions profiles to remove the now unneeded /usr/lib entries. A number of entries still didn't move to libexec, however:
- /usr/libexec/virtualbox/VirtualBoxVM - /usr/libexec/virtualbox/VBoxHeadless - /usr/libexec/virtualbox/VBoxSDL - /usr/libexec/virtualbox/VBoxNetAdpCtl - /usr/libexec/virtualbox/VBoxNetDHCP - /usr/libexec/virtualbox/VBoxNetNAT
```INSTALL_DIR=/usr/lib/virtualbox``` Unable to move; hardcoded location for everything, data should stay in /usr/lib. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c23 --- Comment #23 from Callum Farmer <gmbr3@opensuse.org> --- (In reply to Matthias Gerstner from comment #16)
I cleaned up the permissions profiles to remove the now unneeded /usr/lib entries. A number of entries still didn't move to libexec, however:
- /usr/libexec/news/bin/rnews - /usr/libexec/news/bin/inews - /usr/libexec/news/bin/innbind - /usr/libexec/mgetty+sendfax/faxq-helper - /usr/libexec/polkit-1/polkit-agent-helper-1
Belongs in /usr/lib -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c24 --- Comment #24 from Callum Farmer <gmbr3@opensuse.org> --- (In reply to Callum Farmer from comment #23)
(In reply to Matthias Gerstner from comment #16)
I cleaned up the permissions profiles to remove the now unneeded /usr/lib entries. A number of entries still didn't move to libexec, however:
- /usr/libexec/polkit-1/polkit-agent-helper-1
Belongs in /usr/lib
Correction -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c25 --- Comment #25 from Callum Farmer <gmbr3@opensuse.org> --- (In reply to Matthias Gerstner from comment #16)
I cleaned up the permissions profiles to remove the now unneeded /usr/lib entries. A number of entries still didn't move to libexec, however:
- /usr/libexec/news/bin/rnews - /usr/libexec/news/bin/inews - /usr/libexec/news/bin/innbind
In progress. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c26 --- Comment #26 from Callum Farmer <gmbr3@opensuse.org> --- (In reply to Matthias Gerstner from comment #16)
I cleaned up the permissions profiles to remove the now unneeded /usr/lib entries. A number of entries still didn't move to libexec, however:
- /usr/libexec/polkit-1/polkit-agent-helper-1
IN PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c27 --- Comment #27 from Callum Farmer <gmbr3@opensuse.org> --- (In reply to Matthias Gerstner from comment #16)
I cleaned up the permissions profiles to remove the now unneeded /usr/lib entries. A number of entries still didn't move to libexec, however:
- /usr/libexec/usbauth-notifier - /usr/libexec/usbauth-notifier/usbauth-notifier - /usr/libexec/authbind/helper
IN PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c28 Callum Farmer <gmbr3@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(matthias.gerstner | |@suse.com) --- Comment #28 from Callum Farmer <gmbr3@opensuse.org> --- (In reply to Callum Farmer from comment #26)
(In reply to Matthias Gerstner from comment #16)
I cleaned up the permissions profiles to remove the now unneeded /usr/lib entries. A number of entries still didn't move to libexec, however:
- /usr/libexec/polkit-1/polkit-agent-helper-1
IN PROGRESS
Moved to /usr/libexec/polkit-agent-helper-1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c43 --- Comment #43 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1171164) was mentioned in https://build.opensuse.org/request/show/905249 Factory / mgetty -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c46 --- Comment #46 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1171164) was mentioned in https://build.opensuse.org/request/show/931965 15.3 / permissions -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com