Re: [opensuse-buildservice] rpmlintrc addfilter stopped working in Factory only

11 Oct 2011

      I already gathered that from the other archived post I linked to.

My question is, I don't WANT to allow any and all files to pass this 
check. Previously I could allow this one file that I specifically knew 
all about, yet if say a new suid file appeared in a later version of the 
package, it wouldn't get automatically built and distributed.

badness 100 means other files will still appear in build logs at least, 
but the package will still get built and distributed and installed all 
automatically whether I look at the build log or not.

Perhaps I could set the badness higher so that it just barely passes, so 
any other files would block the build. But then I can't know what order 
some other possible new file would appear. Maybe a new suid file appears 
in a later version of the upstream package and it happens to appear 
earlier in the build process than the file I know about. Maybe the file 
I know about is no longer suid at the same time? Now instead of the 
accurate and safe behavior I had, I have the possibility of some totally 
other file I do not agree with passing the check and getting all the way 
onto production boxes.

That scenario is a little bit contrived but then again every security 
exploit everywhere is made of exactly such loopholes. This is NOT an 
increase in safety.

I'll get the package built. I just do not like the forced decrease in 
safety. Especially galling is inflicting an unwilling decrease in 
security, and claiming it's to increase security.

-- 
bkw

On 10/11/2011 1:05 PM, Nelson Marques wrote:
...
Try this:
setBadness("permissions-file-setuid-bit", 100)
That should decrease the badness index to 100 so you can still get
your package built, but it should be fixed.
NM
2011/10/11 Brian K. White:
...
Similar to
http://lists.opensuse.org/opensuse-buildservice/2011-06/msg00197.html
I have:
incron.x86_64: E: permissions-file-setuid-bit (Badness: 10000)
/usr/bin/incrontab is packaged with setuid/setgid bits (04755)
If the package is intended for inclusion in any SUSE product please open a
bug
report to request review of the program by the security team
Even though I have:
incron.rpmlintrc
addFilter("permissions-file-setuid-bit .*/usr/bin/incrontab")
and that's been working in every version from 10.0 to 11.4
The suggestion about setbadness, doesn't that mean to ignore the error on
any file that might trigger it? How is ignoring an error everywhere better
than selectively ignoring it for a single specific known file? You can't
make that suggestion and still say you are worried about peoples safety and
trying to make things the most correct they can be.
The package is incron:
https://build.opensuse.org/package/files?package=incron&project=home%3Aaljex
--
bkw
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
-- 
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org