Bug 15856

Summary: RFE: suidperl split to a subpackage
Product: [Retired] Red Hat Linux Reporter: Pekka Savola <pekkas>
Component: perlAssignee: Chip Turner <cturner>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: chris, menthos, notting, pekkas, redhat
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-12-13 21:14:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pekka Savola 2000-08-09 17:11:05 UTC 
In the view of the latest suidperl exploit and the fact that
suidperl is used only in a very rare circumstances (not by
Red Hat RPMS at least :), it'd be a good idea to split it to
a subpackage which wouldn't be installed by default.
Comment 1 Bill Nottingham 2000-08-09 17:39:15 UTC 
Or just remove it completely. :)
Comment 2 Chris Evans 2000-08-11 12:39:00 UTC 
How about put the new suidperl package on Powertools so that an install of "everything" in the standard distro has one less maniac 
suid-root program?
P.S. to be awkward, severity -> security :-)
P.P.S. Speaking of maniac suid-root programs why is procmail suid-root?
Comment 3 Bill Nottingham 2000-08-11 13:59:28 UTC 
procmail is setuid root to do mail delivery.

Putting sperl in powertools is complex merely due to our
build process (having one source RPM make package X for
the main distro and package Y from the powertools is not
really supported at the moment.)
Comment 4 Pekka Savola 2000-12-18 17:35:16 UTC 
I think this should now be taken to reconsideration :-)

The most difficult change would be listing all bindir filenames in 
the spec file instead of %{_bindir}/*.

No need to even add perl-suidperl to RedHat/base/comps ;-)
Comment 5 Christian Rose 2001-01-17 11:25:44 UTC 
I believe Debian has a seperate "perl-suid" package.
I agree that splitting suidperl in a seperate package, not installed by default,
is the only sane thing to do, besides not shipping it at all, which of course
also is a solution.
Comment 6 Chris Evans 2001-02-12 00:27:36 UTC 
This bug would be a good one to re-visit for RH7.1 final.
Here is the rationale:
- 7.1 beta-3 is looking _very_ secure, so eliminating some
of the bigger suid-root stuff is likely to be a big win.
- Hardly anyone uses suid-perl.

Perhaps the following way of proceeding would keep most
people happy:
- Split suid-perl into a sub-package
- Keep it in the main distro
- Only install it if explicitly selected in the installer
- i.e. its one of the magic packages omitted by an "everything"
install.
- also, the common install classes should _not_ contain the
new package.
Comment 7 Bill Nottingham 2001-12-13 21:14:42 UTC 
Chip, can you please do this for your next build?
Comment 8 Chip Turner 2002-03-01 20:33:22 UTC 
Latest RAWHIDE perl will now split off a perl-suidperl package with one file,
/usr/bin/suidperl.