[opensuse-buildservice] rpmlintrc addfilter stopped working in Factory only
Similar to http://lists.opensuse.org/opensuse-buildservice/2011-06/msg00197.html I have: incron.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/bin/incrontab is packaged with setuid/setgid bits (04755) If the package is intended for inclusion in any SUSE product please open a bug report to request review of the program by the security team Even though I have: incron.rpmlintrc addFilter("permissions-file-setuid-bit .*/usr/bin/incrontab") and that's been working in every version from 10.0 to 11.4 The suggestion about setbadness, doesn't that mean to ignore the error on any file that might trigger it? How is ignoring an error everywhere better than selectively ignoring it for a single specific known file? You can't make that suggestion and still say you are worried about peoples safety and trying to make things the most correct they can be. The package is incron: https://build.opensuse.org/package/files?package=incron&project=home%3Aaljex -- bkw -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Try this: setBadness("permissions-file-setuid-bit", 100) That should decrease the badness index to 100 so you can still get your package built, but it should be fixed. NM 2011/10/11 Brian K. White <brian@aljex.com>:
Similar to http://lists.opensuse.org/opensuse-buildservice/2011-06/msg00197.html
I have: incron.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/bin/incrontab is packaged with setuid/setgid bits (04755) If the package is intended for inclusion in any SUSE product please open a bug report to request review of the program by the security team
Even though I have: incron.rpmlintrc addFilter("permissions-file-setuid-bit .*/usr/bin/incrontab") and that's been working in every version from 10.0 to 11.4
The suggestion about setbadness, doesn't that mean to ignore the error on any file that might trigger it? How is ignoring an error everywhere better than selectively ignoring it for a single specific known file? You can't make that suggestion and still say you are worried about peoples safety and trying to make things the most correct they can be.
The package is incron:
https://build.opensuse.org/package/files?package=incron&project=home%3Aaljex
-- bkw -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
-- Nelson Marques /* http://www.marques.so nmo.marques@gmail.com */ -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
I already gathered that from the other archived post I linked to. My question is, I don't WANT to allow any and all files to pass this check. Previously I could allow this one file that I specifically knew all about, yet if say a new suid file appeared in a later version of the package, it wouldn't get automatically built and distributed. badness 100 means other files will still appear in build logs at least, but the package will still get built and distributed and installed all automatically whether I look at the build log or not. Perhaps I could set the badness higher so that it just barely passes, so any other files would block the build. But then I can't know what order some other possible new file would appear. Maybe a new suid file appears in a later version of the upstream package and it happens to appear earlier in the build process than the file I know about. Maybe the file I know about is no longer suid at the same time? Now instead of the accurate and safe behavior I had, I have the possibility of some totally other file I do not agree with passing the check and getting all the way onto production boxes. That scenario is a little bit contrived but then again every security exploit everywhere is made of exactly such loopholes. This is NOT an increase in safety. I'll get the package built. I just do not like the forced decrease in safety. Especially galling is inflicting an unwilling decrease in security, and claiming it's to increase security. -- bkw On 10/11/2011 1:05 PM, Nelson Marques wrote:
Try this:
setBadness("permissions-file-setuid-bit", 100)
That should decrease the badness index to 100 so you can still get your package built, but it should be fixed.
NM
2011/10/11 Brian K. White<brian@aljex.com>:
Similar to http://lists.opensuse.org/opensuse-buildservice/2011-06/msg00197.html
I have: incron.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/bin/incrontab is packaged with setuid/setgid bits (04755) If the package is intended for inclusion in any SUSE product please open a bug report to request review of the program by the security team
Even though I have: incron.rpmlintrc addFilter("permissions-file-setuid-bit .*/usr/bin/incrontab") and that's been working in every version from 10.0 to 11.4
The suggestion about setbadness, doesn't that mean to ignore the error on any file that might trigger it? How is ignoring an error everywhere better than selectively ignoring it for a single specific known file? You can't make that suggestion and still say you are worried about peoples safety and trying to make things the most correct they can be.
The package is incron:
https://build.opensuse.org/package/files?package=incron&project=home%3Aaljex
-- bkw -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On 10/11/2011 1:01 PM, Brian K. White wrote:
Similar to http://lists.opensuse.org/opensuse-buildservice/2011-06/msg00197.html
I have: incron.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/bin/incrontab is packaged with setuid/setgid bits (04755) If the package is intended for inclusion in any SUSE product please open a bug report to request review of the program by the security team
Even though I have: incron.rpmlintrc addFilter("permissions-file-setuid-bit .*/usr/bin/incrontab") and that's been working in every version from 10.0 to 11.4
The suggestion about setbadness, doesn't that mean to ignore the error on any file that might trigger it? How is ignoring an error everywhere better than selectively ignoring it for a single specific known file? You can't make that suggestion and still say you are worried about peoples safety and trying to make things the most correct they can be.
The package is incron:
https://build.opensuse.org/package/files?package=incron&project=home%3Aaljex
I used setBadness 900 and the package built, and at 900, at least I know only one suid file can pass, although I no longer can specify which file should be allowed. -- bkw -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (2)
-
Brian K. White -
Nelson Marques