Bug 617640

Summary: Warning on install: user mockbuild does not exist
Product: [Fedora] Fedora Reporter: Christopher Beland <beland>
Component: xorg-x11-xinitAssignee: X/OpenGL Maintenance List <xgl-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: high    
Version: 12CC: cebbert, chkr, djh, dominik, ffesti, james.antill, jpazdziora, mattdm, maxamillion, m.a.young, mcepl, pmatilai, rc040203, tim.lauridsen, xgl-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xorg-x11-xinit-1.0.9-18.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-01 03:28:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christopher Beland 2010-07-23 15:41:37 UTC
"yum update" produced the following warning.

  Updating       : xorg-x11-xinit-1.0.9-16.fc12.i686                      16/69 
warning: user mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: user mockbuild does not exist - using root

Comment 1 Matěj Cepl 2010-07-24 13:15:38 UTC
Moving to yum component, but I doubt there is some real issue here. Is there something broken or is it just that these warnings are confusing?

Comment 2 Christopher Beland 2010-07-24 18:48:58 UTC
If nothing is broken, there should be no warnings or errors.

Comment 3 seth vidal 2010-07-26 02:54:52 UTC
something in that package is owned by the user mockbuild. That user doesn't exist on your system so rpm can't chown the files to it.

hence the warning.

so:
1. the message is coming from rpm(rpm-lib)
2. this is a problem in the package.

Comment 4 Matěj Cepl 2010-07-26 08:50:02 UTC
(In reply to comment #2)
> If nothing is broken, there should be no warnings or errors.    

I am sorry, bad wording of my question, I meant whether you can observe some other problem with this package, or is it only warnings happening?

Comment 5 Michael Young 2010-08-11 12:01:46 UTC
I am seeing this as well. What it means is that the files (/usr/bin/ck-xinit-session /usr/bin/startx /usr/bin/xinit) have been packaged as owned by mockbuild, which is wrong - see rpm -qlv x11-org-xinit or rpm -qlvp x11-xorg-xinit-1.0.9-16.fc12.i386.rpm . In x11-xorg-xinit-1.0.9-14.fc12.i386.rpm the files were packaged to be owned by root which is more sensible.

What that means is that if there isn't a mockbuild user on the system installing the package then the system installs the files as owned by root so the only problem is the annoying warnings. If however there is a mockbuild user then the files will be owned by that user, which means that that user can do evil things to those files so it is a security risk.

Comment 6 Dominik 'Rathann' Mierzejewski 2010-08-11 17:37:22 UTC
As a side effect, the installed package doesn't pass rpm -V:

$ rpm -V xorg-x11-xinit
.....U...    /usr/bin/ck-xinit-session
.....U...    /usr/bin/startx
.....U...    /usr/bin/xinit
.....U...    /usr/libexec/xinit-compat

This could trip up some intrusion detection systems.

These lines in the spec file seem to be the problem:
%attr(755,-,root) %{_bindir}/startx
%attr(755,-,root) %{_bindir}/xinit
%attr(755,-,root) %{_bindir}/ck-xinit-session
%attr(755,-,root) %{_libexecdir}/xinit-compat

Here you didn't set the owner, so rpm used current user (mockbuild under mock) instead. Please replace '-' with 'root' above and all will be well.

Comment 7 Jan Pazdziora 2010-08-13 14:31:15 UTC
Matěj, the .spec is clearly wrong, as pointed out in comment 6. Clearing the needinfo. Or is any other info needed?

Note that at least bug 623702 and bug 623912 seem to be talking about the same issue, so people notice this and we might want to bump up the priority of this bugzilla and get new package respinned.

Comment 8 Matthew Miller 2010-08-15 20:09:42 UTC
*** Bug 623702 has been marked as a duplicate of this bug. ***

Comment 9 Matthew Miller 2010-08-15 20:09:54 UTC
*** Bug 623912 has been marked as a duplicate of this bug. ***

Comment 10 Matthew Miller 2010-08-15 20:12:52 UTC
Wrong file ownership can lead to serious security issues, and this is a minor change.

I'm a little disturbed that the packager doesn't understand the issue here.

Comment 11 Ville Skyttä 2010-08-26 16:23:23 UTC
Still unfixed, setting Security keyword in order to draw more attention.

Comment 12 Fedora Update System 2010-08-27 14:40:55 UTC
xorg-x11-xinit-1.0.9-18.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/xorg-x11-xinit-1.0.9-18.fc12

Comment 13 Fedora Update System 2010-08-27 14:54:29 UTC
xorg-x11-xinit-1.0.9-18.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/xorg-x11-xinit-1.0.9-18.fc13

Comment 14 Fedora Update System 2010-08-27 14:55:32 UTC
xorg-x11-xinit-1.0.9-18.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/xorg-x11-xinit-1.0.9-18.fc14

Comment 15 Matěj Cepl 2010-08-30 10:06:31 UTC
(In reply to comment #11)
> Still unfixed, setting Security keyword in order to draw more attention.

Please, don't do it ... catch me on #fedora-bugzappers, send me personal email, or something, but please don't misuse Security keyword for pinging me (although this might theoretically be security related).

Comment 16 Fedora Update System 2010-08-30 18:20:58 UTC
xorg-x11-xinit-1.0.9-18.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update xorg-x11-xinit'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/xorg-x11-xinit-1.0.9-18.fc13

Comment 17 Fedora Update System 2010-09-01 03:28:09 UTC
xorg-x11-xinit-1.0.9-18.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2010-09-01 05:59:30 UTC
xorg-x11-xinit-1.0.9-18.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2010-09-02 20:39:26 UTC
xorg-x11-xinit-1.0.9-18.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.