Bug 15856 - RFE: suidperl split to a subpackage
Summary: RFE: suidperl split to a subpackage
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: perl   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Chip Turner
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-08-09 17:11 UTC by Pekka Savola
Modified: 2008-05-01 15:37 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-12-13 21:14:48 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Pekka Savola 2000-08-09 17:11:05 UTC
In the view of the latest suidperl exploit and the fact that
suidperl is used only in a very rare circumstances (not by
Red Hat RPMS at least :), it'd be a good idea to split it to
a subpackage which wouldn't be installed by default.

Comment 1 Bill Nottingham 2000-08-09 17:39:15 UTC
Or just remove it completely. :)

Comment 2 Chris Evans 2000-08-11 12:39:00 UTC
How about put the new suidperl package on Powertools so that an install of "everything" in the standard distro has one less maniac 
suid-root program?
P.S. to be awkward, severity -> security :-)
P.P.S. Speaking of maniac suid-root programs why is procmail suid-root?

Comment 3 Bill Nottingham 2000-08-11 13:59:28 UTC
procmail is setuid root to do mail delivery.

Putting sperl in powertools is complex merely due to our
build process (having one source RPM make package X for
the main distro and package Y from the powertools is not
really supported at the moment.)

Comment 4 Pekka Savola 2000-12-18 17:35:16 UTC
I think this should now be taken to reconsideration :-)

The most difficult change would be listing all bindir filenames in 
the spec file instead of %{_bindir}/*.

No need to even add perl-suidperl to RedHat/base/comps ;-)


Comment 5 Christian Rose 2001-01-17 11:25:44 UTC
I believe Debian has a seperate "perl-suid" package.
I agree that splitting suidperl in a seperate package, not installed by default,
is the only sane thing to do, besides not shipping it at all, which of course
also is a solution.


Comment 6 Chris Evans 2001-02-12 00:27:36 UTC
This bug would be a good one to re-visit for RH7.1 final.
Here is the rationale:
- 7.1 beta-3 is looking _very_ secure, so eliminating some
of the bigger suid-root stuff is likely to be a big win.
- Hardly anyone uses suid-perl.

Perhaps the following way of proceeding would keep most
people happy:
- Split suid-perl into a sub-package
- Keep it in the main distro
- Only install it if explicitly selected in the installer
- i.e. its one of the magic packages omitted by an "everything"
install.
- also, the common install classes should _not_ contain the
new package.

Comment 7 Bill Nottingham 2001-12-13 21:14:42 UTC
Chip, can you please do this for your next build?

Comment 8 Chip Turner 2002-03-01 20:33:22 UTC
Latest RAWHIDE perl will now split off a perl-suidperl package with one file,
/usr/bin/suidperl.


Note You need to log in before you can comment on or make changes to this bug.