Bug 693731 (removesuid16)
Summary: | Remove all SETUID apps from the distribution | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> |
Component: | distribution | Assignee: | Radek Vokál <rvokal> |
Status: | CLOSED EOL | QA Contact: | Radek Vokál <rvokal> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 19 | CC: | dcantrell, dksw.daithi, drjohnson1, gholms, herrold, ian, mads, mattdm, matt_domsch, panemade, segoon, sgrubb, tmraz, travneff, vpavlin, wd, yersinia.spiros |
Target Milestone: | --- | Keywords: | Tracking |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | removesetuid | Environment: | |
Last Closed: | 2015-02-17 13:42:38 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 646476, 646447, 646448, 646450, 646458, 646462, 646466, 646467, 646471, 646480, 646481, 646482, 646485, 646487, 646490, 646491, 646493, 646495, 648653, 689564, 771134 | ||
Bug Blocks: |
Description
Daniel Walsh
2011-04-05 13:06:59 UTC
This effectively breaks using nfs or any filesystem which does not support capabilities. Certainly I can work around by finding all the files with a capability and making them SUID, but a) that is likely to break every time I do an update and b) I should audit each of them to make sure that they were (and remain) suid safe. And if they are suid safe why bother with capabilities? I guess the correct fix would be to make nfs support capabilities. This will probably never happen for nfs3. For nfs4 it looks possible at least, but it still would require significant work upstream, which as best I can tell there are no plans for. I could file a bug for nfs, but I suspect that is not likely to do much good. This change to use capabilities looks premature to me, but a way forward would be to have a configurable flag for rpm and require packages to test for the flag rather than for %if 0%{?fedora} < 15 falling back to suid if appropriate and capabilities are not supported. I guess nfs mounting "system" partitions is not that popular, but I find a shared readonly nfs root to be efficient and effective. The only real downside being is is not that well supported :-( Please also keep in mind that all tools that are used to copy / backup / restore files must be capable of correctly handling capabilities, and if they need special options to do so, then all backup scripts etc. need to be adapted as well. Fedora 16 has already caused problems because standard tools like bacula, cpio or rsync don't handle this well, see bug # 771134 Sadly that is true, but this is also a catalist to cause these bugs to be fixed, rather then to remain broken forever. Bacula rawhide 5.2.4 handles file capabilities correctly: http://www.mail-archive.com/bacula-users@lists.sourceforge.net/msg50835.html While I agree with the removal of setuid in principle, to do it BEFORE the various utilities (tar etc) support capabilities seems premature and very user-unfriendly. I used to be able to reliably backup and restore my system using tar. Now in Fedora17 various utilities in a restored system don't work. David which application are you using that does not support file capabilities? Did you open a bugzilla on them? The application is tar, and I was about to open a bug but found the issue has already been raised in bug 771134. I've tried tar's --xattrs option (Fedora 17) but it just doesn't preserve the file capabilities such that utilities like ping, ping6, work after backing up and restoring the system partition. I rely heavily on being able to restore my system partition from a backup. Now it's guaranteed to be broken after a restore and I have to fiddle with setting file capabilities to get it working again. Well that bug says bacula was fixed but not tar? Can you open a bug on tar? A separate bug 771927 already covers the tar issue. Ok I updated the bug. Lets follow up in a week if nothing happens. This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19 This message is a notice that Fedora 19 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 19. It is Fedora's policy to close all bug reports from releases that are no longer maintained. Approximately 4 (four) weeks from now this bug will be closed as EOL if it remains open with a Fedora 'version' of '19'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 19 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |