# zypp - allow opensuseupdater to do its job /usr/sbin/zypp-checkpatches-wrapper root:root 4755
Regards,
Christian Boltz what about a default apparmor wrap on opensuse updater?
It calls /usr/sbin/zypp-checkpatches-wrapper, which would need one and then it will be quiet difficult to confine this setuid root binary. In general... The reason the zypp-checkpatches-wrapper is setuid root is mostly for keeping potential privacy information in the configured repositories ... Think user/password pairs for FTP servers, or for SLE the deviceid/secret pairs. Also for not doing the download twice, but this could be done in a cron job. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org