[Bug 862953] New: AUDIT-0: kinit: W: permissions-file-setuid-bit /usr/lib/kde5/libexec/start_kdeinit is packaged with setuid/setgid bits (04755)
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c0 Summary: AUDIT-0: kinit: W: permissions-file-setuid-bit /usr/lib/kde5/libexec/start_kdeinit is packaged with setuid/setgid bits (04755) Classification: openSUSE Product: openSUSE Factory Version: 13.2 Milestone 0 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: hrvoje.senjan@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0 Please review package kinit, which can be found at KDE:Frameworks5 project. Code is more or less (haven't looked in detail tbh) the same as in kdelibs4, but ported to Qt 5/KDE Frameworks 5. Thanks! Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |security-team@suse.de AssignedTo|security-team@suse.de |krahmer@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c1 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |hrvoje.senjan@gmail.com --- Comment #1 from Sebastian Krahmer <krahmer@suse.com> 2014-02-17 10:29:46 UTC --- I think the code is OK, although a weird architecture. Nevertheless, I vote for using CAP_SYS_RESOURCE file capability on start_kdeinit rather than suid root bit. And then instead of calling the setuid(getuid()), dropping the caps to 0. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c2 Hrvoje Senjan <hrvoje.senjan@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hrvoje.senjan@gmail.com InfoProvider|hrvoje.senjan@gmail.com |krahmer@suse.com --- Comment #2 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-02-19 20:41:17 UTC --- Sebastian, to be honest, i am not sure what should i do =) i see a needinfo on me. Are you asking do i agree with your solution, or should i do something with the package? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c3 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|krahmer@suse.com | --- Comment #3 from Sebastian Krahmer <krahmer@suse.com> 2014-02-24 10:03:46 UTC --- We should make a patch that is using CAP_SYS_RESOURCE rather than suid root. Do you have contact to upstream? That would be the prefered way; having a patch from upstream. Otherwise, we need to make our own, but thats doable. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c4 David Faure <faure@kde.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |faure@kde.org --- Comment #4 from David Faure <faure@kde.org> 2014-03-02 10:45:53 UTC --- Hello, I can be your "upstream contact", but actually this code is from one of your colleagues, Lubos Lunak :) I am happy to review (or more likely pass along for review) a patch that uses CAP_SYS_RESOURCE (where available - don't assume linux-only), but I don't know much about that myself so I can't write the patch. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c5 --- Comment #5 from Sebastian Krahmer <krahmer@suse.com> 2014-03-10 13:03:45 UTC --- Created an attachment (id=581562) --> (http://bugzilla.novell.com/attachment.cgi?id=581562) capability patch . -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c6 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |faure@kde.org --- Comment #6 from Sebastian Krahmer <krahmer@suse.com> 2014-03-10 13:05:29 UTC --- Basically a patch like this and rather than having the binary +s root, make it 'setcap cap_sys_resource=ep' -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c7 --- Comment #7 from Sebastian Krahmer <krahmer@suse.com> 2014-03-18 08:09:29 UTC --- ping -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c8 --- Comment #8 from David Faure <faure@kde.org> 2014-03-23 00:00:15 UTC --- Well clearly the CMakeLists.txt change to "call setcap after make install" is missing. This cannot go in without that, for people who install from sources (I guess you solve it on your side by a rule in the RPM spec file). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c9 --- Comment #9 from Sebastian Krahmer <krahmer@suse.com> 2014-03-24 08:59:57 UTC --- Might be, it is just a proposal to show how the capability code would be working. :) Can you adjust it to a full patch and attach it here? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c10 --- Comment #10 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-03-26 09:21:33 UTC --- @Sebastian, i'll try to extend your patch with CMake bits, and attach it here, as also open review upstream. First, and biggest problem i see, is that at least on openSUSE, setcap is not in $PATH -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c11 --- Comment #11 from Sebastian Krahmer <krahmer@suse.com> 2014-03-26 09:29:47 UTC --- Ok. setcap requires libcap-progs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c12 --- Comment #12 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-03-26 23:18:04 UTC --- Created an attachment (id=583870) --> (http://bugzilla.novell.com/attachment.cgi?id=583870) Sebastian's patch + CMake bits -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c13 --- Comment #13 from Sebastian Krahmer <krahmer@suse.com> 2014-03-31 07:59:30 UTC --- Ok, looks good. Should be applied for Factory. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c14 --- Comment #14 from Sebastian Krahmer <krahmer@suse.com> 2014-04-07 08:30:23 UTC --- ping. thats all from my side here. can be closed when patch is applied? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c15 --- Comment #15 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-04-07 16:58:49 UTC --- (In reply to comment #14)
ping. thats all from my side here. can be closed when patch is applied?
i'll add the patch, once i adjust it per upstream review (mainly cmake part). whether it should be closed - that i can't say - don't we need adjustments in permissions? as we'll need to %verify & %set capabilities -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c16 --- Comment #16 from Sebastian Krahmer <krahmer@suse.com> 2014-04-08 09:07:40 UTC --- ok. ping us if its accepted upstream, so we can update the permissions file -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862953 https://bugzilla.novell.com/show_bug.cgi?id=862953#c17 Hrvoje Senjan <hrvoje.senjan@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |CLOSED InfoProvider|faure@kde.org | Resolution| |WONTFIX --- Comment #17 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-04-22 18:36:09 UTC --- in the end, we just won't utilize OOM protection =) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com