Bug 646455
Summary: | Can RPMLint notice setuid apps and recommend using file capabilties | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> |
Component: | rpmlint | Assignee: | Ville Skyttä <ville.skytta> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | manuel.wolfshant, sgrubb, tmz, ville.skytta |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | rpmlint-1.0-1.fc14 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-11-10 21:50:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 646440 |
Description
Daniel Walsh
2010-10-25 13:09:34 UTC
rpmlint already reports errors about setuid binaries, for example: $ rpmlint util-linux-ng | grep setuid-binary util-linux-ng.x86_64: E: setuid-binary /usr/bin/chsh root 04711L util-linux-ng.x86_64: E: setuid-binary /bin/mount root 04755L util-linux-ng.x86_64: E: setuid-binary /usr/bin/chfn root 04711L util-linux-ng.x86_64: E: setuid-binary /bin/umount root 04755L I just added a note about file capabilities to the info message upstream: http://rpmlint.zarb.org/cgi-bin/trac.cgi/changeset/1810 Previously there was a thought that we'd start collecting a "whitelist" of allowed setuid binaries (see bug 496737) but I suppose this Feature will make that point moot. There's only one setuid executable (/usr/kerberos/bin/ksu) whitelisted in the current Fedora rpmlint package; that whitelisting should be removed. No I think we are going to have to allow a few, su, sudo, consolehelper, ksu. Ok, I'll add su and sudo (and sudoedit) to the whitelist instead. Don't know about consolehelper, FWIW /usr/bin/consolehelper is not setuid here (F-13). $ ls -l /usr/bin/consolehelper* -rwxr-xr-x 1 root root 9048 Mar 26 2010 /usr/bin/consolehelper -rwxr-xr-x 1 root root 42072 Mar 26 2010 /usr/bin/consolehelper-gtk -rws--x--x. 1 root root 43856 Sep 29 19:18 /usr/sbin/userhelper Some of the other requests are being rejected also. passwd, and initctl? (In reply to comment #4) > -rws--x--x. 1 root root 43856 Sep 29 19:18 /usr/sbin/userhelper Ah, userhelper, not consolehelper. > Some of the other requests are being rejected also. passwd, and initctl? Not sure what you mean by that - if you're asking me whether those should be whitelisted or not, I'm sure you're more qualified to tell it than I am. Anyway this is what I currently have in store for the next rpmlint package's default config, you can try it out by inserting it into your ~/.config/rpmlint: # https://bugzilla.redhat.com/496737, https://bugzilla.redhat.com/646455 for pkg, exe in (("coreutils", "/bin/su"), ("krb5-workstation", "/usr/kerberos/bin/ksu"), ("passwd", "/usr/bin/passwd"), ("sudo", "/usr/sbin/sudo(edit)?"), ("upstart", "/sbin/initctl"), ("usermode", "/usr/sbin/userhelper")): addFilter("%s.* (setuid-binary|non-standard-executable-perm) %s (root )?04" % (pkg, exe)) (In reply to comment #5) > ("sudo", "/usr/sbin/sudo(edit)?"), This should be /usr/bin, not /usr/sbin. rpmlint-1.0-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/rpmlint-1.0-1.fc14 rpmlint-1.0-1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update rpmlint'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/rpmlint-1.0-1.fc14 rpmlint-1.0-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |