On Sat, Sep 07, 2013 at 11:39:46AM +0400, Andrey Borzenkov wrote:
В Sat, 07 Sep 2013 08:38:48 +0200 Thomas Leineweber <thomas@tleine.de> пишет:
Hello,
Am 07.09.2013 08:31, schrieb Andrey Borzenkov:
I try to rebuild mailman with htdig patch but I get
[ 149s] (none): E: badness 20000 exceeds threshold 1000, aborting.
I compared build logs with devel project and it has the same amount of warnings; the only difference is /proc warnings
[ 140s] warning: Failed to read auxiliary vector, /proc not mounted? [ 140s] warning: Failed to read auxiliary vector, /proc not mounted?
but I normally always see them in build logs and so far they did not cause any harm.
Could someone explain where this badness comes from?
https://build.opensuse.org/package/rawlog/home:arvidjaar:branches:server:mai...
Reading the logfile, you can find:
[ 149s] mailman.i586: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib/mailman/cgi-bin/htdig is packaged with setuid/setgid bits (02755) [ 149s] mailman.i586: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib/mailman/cgi-bin/mmsearch is packaged with setuid/setgid bits (02755) [ 149s] If the package is intended for inclusion in any SUSE product please open a bug [ 149s] report to request review of the program by the security team
All files under /usr/lib/mailman/cgi-bin are SGID. Why does it complaint about these two files only?
Because the other ones have been audited and whitelisted already, these new ones have not.
Spec also has the line
%verify(not mode) %attr(2755, root, mailman) /usr/lib/mailman/cgi-bin/*
And I added these files to /usr/lib/mailman/sgidlist assuming that this goes wrong (but asfar as I understand it runs during installation):
%verifyscript %verify_permissions -f /usr/lib/mailman/sgidlist
Open a bug and assign to the security team requesting audit. Or do not ship them. ;) Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org