Mailinglist Archive: opensuse-buildservice (175 mails)

< Previous Next >
Re: [opensuse-buildservice] rpmlintrc addfilter stopped working in Factory only
I already gathered that from the other archived post I linked to.

My question is, I don't WANT to allow any and all files to pass this check. Previously I could allow this one file that I specifically knew all about, yet if say a new suid file appeared in a later version of the package, it wouldn't get automatically built and distributed.

badness 100 means other files will still appear in build logs at least, but the package will still get built and distributed and installed all automatically whether I look at the build log or not.

Perhaps I could set the badness higher so that it just barely passes, so any other files would block the build. But then I can't know what order some other possible new file would appear. Maybe a new suid file appears in a later version of the upstream package and it happens to appear earlier in the build process than the file I know about. Maybe the file I know about is no longer suid at the same time? Now instead of the accurate and safe behavior I had, I have the possibility of some totally other file I do not agree with passing the check and getting all the way onto production boxes.

That scenario is a little bit contrived but then again every security exploit everywhere is made of exactly such loopholes. This is NOT an increase in safety.

I'll get the package built. I just do not like the forced decrease in safety. Especially galling is inflicting an unwilling decrease in security, and claiming it's to increase security.

--
bkw

On 10/11/2011 1:05 PM, Nelson Marques wrote:
Try this:

setBadness("permissions-file-setuid-bit", 100)

That should decrease the badness index to 100 so you can still get
your package built, but it should be fixed.

NM

2011/10/11 Brian K. White<brian@xxxxxxxxx>:
Similar to
http://lists.opensuse.org/opensuse-buildservice/2011-06/msg00197.html

I have:
incron.x86_64: E: permissions-file-setuid-bit (Badness: 10000)
/usr/bin/incrontab is packaged with setuid/setgid bits (04755)
If the package is intended for inclusion in any SUSE product please open a
bug
report to request review of the program by the security team

Even though I have:
incron.rpmlintrc
addFilter("permissions-file-setuid-bit .*/usr/bin/incrontab")
and that's been working in every version from 10.0 to 11.4

The suggestion about setbadness, doesn't that mean to ignore the error on
any file that might trigger it? How is ignoring an error everywhere better
than selectively ignoring it for a single specific known file? You can't
make that suggestion and still say you are worried about peoples safety and
trying to make things the most correct they can be.

The package is incron:

https://build.opensuse.org/package/files?package=incron&project=home%3Aaljex

--
bkw
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx






--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >