http://bugzilla.suse.com/show_bug.cgi?id=1114383
http://bugzilla.suse.com/show_bug.cgi?id=1114383#c6
Matthias Gerstner changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ma@suse.com
--- Comment #6 from Matthias Gerstner ---
Ah, I missed the bit that the reporter seems to have added custom set*id
permissions for kcheckpass via the permissions file. So I got this partly
wrong.
Entries in /etc/permissions.local actually only work reliably for locally
installed files like in /usr/local/... that are not managed by zypper. Or for
overriding permissions of files that ship with set*id and thus call
%set_permissions and %verify_permissions.
There has been a long discussion regarding pam_yubico and gnome / KDE
screensavers [1]. It is a difficult topic. There will always be some PAM
modules that don't work without root privs. But having a lot of set*id
binaries is also not desireable.
SuSEconfig was removed in openSUSE 10.3, because it was only invoked by YaST
but not by zypper or rpm directly. I don't know of any replacement. Maybe
there is a possibility to run a hook script after certain zypper operations?
Adding the zypper maintainer, maybe he has got some input on this.
@fvogt: Since there seem to be at least some valid use cases to add a custom
setuid bit to kcheckpass, you could still add calls to %set_permissions and
%verify_permissions to your package, to allow users to override the
permissions in a defined away.
Otherwise only hacks come to my mind:
- adding a system start service or cron job to call 'chkstat' on a regular
basis
- using a wrapper around 'zypper' to run chkstat after each zypper in/up/dup
operation
[1]: https://github.com/Yubico/yubico-pam/issues/113
--
You are receiving this mail because:
You are on the CC list for the bug.