[Bug 1171164] New: permission handling: %_libexecdir changes from /usr/lib to /usr/libexec
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164 Bug ID: 1171164 Summary: permission handling: %_libexecdir changes from /usr/lib to /usr/libexec Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: dimstar@opensuse.org QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- In accordance to FHS-3.0, libexecdir is being changed from /usr/lib to /usr/libexec. The permission definitiions lists files in /usr/lib, which are now moving, e.g: the dbus-1 package now fails with: [ 277s] dbus-1.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/libexec/dbus-1/dbus-daemon-launch-helper is packaged with setuid/setgid bits (04750) [ 277s] If the package is intended for inclusion in any SUSE product [ 277s] please open a bug report to request review of the program by the [ 277s] security team. Please refer to [ 277s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 277s] more information. The file used to be /usr/lib/dbus-1/dbus-daemon-launch-helper (on 32bit and 64 bit systems) We need to list those /usr/lib/* things also as /usr/libexec (for a migration time probably in parallel, to not dead-lock future changes) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164
Dominique Leuenberger
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c6
Callum Farmer
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c7
Dominique Leuenberger
Doesn't look like it has been fixed. Still broken.
https://build.opensuse.org/package/live_build_log/openSUSE:Factory:Staging:A... dbus-1/standard/i586
:A has sufficient other issues that I did not invest in rebootstrapping it with the fixed permissoins file, notably rpmlint-mini is still unresolvable in :A - and that's the one needed to be resolved to get the udev fix in place. So far, all 'normal' -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c8
Dominique Leuenberger
(In reply to Callum Farmer from comment #6)
Doesn't look like it has been fixed. Still broken.
https://build.opensuse.org/package/live_build_log/openSUSE:Factory:Staging:A... dbus-1/standard/i586
:A has sufficient other issues that I did not invest in rebootstrapping it with the fixed permissoins file, notably rpmlint-mini is still unresolvable in :A - and that's the one needed to be resolved to get the udev fix in place.
grep dbus-daemon-launch-helper *
Actually, Callum is right here - the dbus-daemon-launch-helper is not authorized even in git/master of permissions for /usr/libexec (so even a rebootstrap would not have helped) permissions.easy:/usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 permissions.paranoid:/usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 0750 permissions.secure:/usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c9
--- Comment #9 from Callum Farmer
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c14
Dr. Werner Fink
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c22
--- Comment #22 from Callum Farmer
I cleaned up the permissions profiles to remove the now unneeded /usr/lib entries. A number of entries still didn't move to libexec, however:
- /usr/libexec/virtualbox/VirtualBoxVM - /usr/libexec/virtualbox/VBoxHeadless - /usr/libexec/virtualbox/VBoxSDL - /usr/libexec/virtualbox/VBoxNetAdpCtl - /usr/libexec/virtualbox/VBoxNetDHCP - /usr/libexec/virtualbox/VBoxNetNAT
```INSTALL_DIR=/usr/lib/virtualbox``` Unable to move; hardcoded location for everything, data should stay in /usr/lib. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c23
--- Comment #23 from Callum Farmer
I cleaned up the permissions profiles to remove the now unneeded /usr/lib entries. A number of entries still didn't move to libexec, however:
- /usr/libexec/news/bin/rnews - /usr/libexec/news/bin/inews - /usr/libexec/news/bin/innbind - /usr/libexec/mgetty+sendfax/faxq-helper - /usr/libexec/polkit-1/polkit-agent-helper-1
Belongs in /usr/lib -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c24
--- Comment #24 from Callum Farmer
(In reply to Matthias Gerstner from comment #16)
I cleaned up the permissions profiles to remove the now unneeded /usr/lib entries. A number of entries still didn't move to libexec, however:
- /usr/libexec/polkit-1/polkit-agent-helper-1
Belongs in /usr/lib
Correction -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c25
--- Comment #25 from Callum Farmer
I cleaned up the permissions profiles to remove the now unneeded /usr/lib entries. A number of entries still didn't move to libexec, however:
- /usr/libexec/news/bin/rnews - /usr/libexec/news/bin/inews - /usr/libexec/news/bin/innbind
In progress. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c26
--- Comment #26 from Callum Farmer
I cleaned up the permissions profiles to remove the now unneeded /usr/lib entries. A number of entries still didn't move to libexec, however:
- /usr/libexec/polkit-1/polkit-agent-helper-1
IN PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c27
--- Comment #27 from Callum Farmer
I cleaned up the permissions profiles to remove the now unneeded /usr/lib entries. A number of entries still didn't move to libexec, however:
- /usr/libexec/usbauth-notifier - /usr/libexec/usbauth-notifier/usbauth-notifier - /usr/libexec/authbind/helper
IN PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c28
Callum Farmer
(In reply to Matthias Gerstner from comment #16)
I cleaned up the permissions profiles to remove the now unneeded /usr/lib entries. A number of entries still didn't move to libexec, however:
- /usr/libexec/polkit-1/polkit-agent-helper-1
IN PROGRESS
Moved to /usr/libexec/polkit-agent-helper-1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c43
--- Comment #43 from OBSbugzilla Bot
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164
http://bugzilla.opensuse.org/show_bug.cgi?id=1171164#c46
--- Comment #46 from OBSbugzilla Bot
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com