Hello, hereby I ask for comments what you think about to establish more automated checks during package submission to at least warn about "possibly hidden running as root" stuff. What I mean with "hidden running as root" is everything where normal users can trigger in a non-obvious way that executables are run as root. For example RPM scriptlets, SysVinit scripts, systemd stuff, system daemons, and setuid root binaries are obviously run as root. But there are various non-obvious ways how normal users can trigger that whatever executables get run as root, for example: udev rules that run /path/to/whatever/executable where normal user actions can trigger such an udev rule, see for example my "Explanation why I cannot run hp-config_usb_printer via udev" in https://bugs.launchpad.net/hplip/+bug/1220628/comments/18 Executables that are launched by daemon processes that run as root for example CUPS backends without world execute permissions in /usr/lib/cups/backend/ are run as the root user. FYI: The reason why I ask for automated checks during package submission to at least warn about "possibly hidden running as root" stuff is http://lists.opensuse.org/opensuse-security/2014-06/msg00019.html ----------------------------------------------------------------------- ... boomaga managed to sneak into Factory already. ----------------------------------------------------------------------- The boomaga RPM installs -rwx------ root root /usr/lib/cups/backend/boomaga Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org