Bug 200906 - wbemexec not executable by standard user
wbemexec not executable by standard user
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: tog-pegasus (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Vitezslav Crhonek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-01 10:39 EDT by Michael DeHaan
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-10 07:03:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael DeHaan 2006-08-01 10:39:05 EDT
Description of problem:

wbemexec permissions are incorrect.   wbemexec is network aware and should be
runnable by any user, but as installed can only be executed by pegasus and root.

Version-Release number of selected component (if applicable):

2.5.1

How reproducible:

Always

Steps to Reproduce:
1.  ls -l /usr/bin/wbemexec
2.  ...
3.  Profit
   
Actual results:

-rwxr-x--- 1 root pegasus 91612 Jul  7 20:15 /usr/bin/wbemexec

Expected results:

Readable/Executable by normal users.

Additional info:

Probably warrants a security check to validate that local socket authentication
is solid prior to flipping chmod bits -- though most likely this was turned off
due to a packaging issue that was only partially fixed (i.e. the manpages used
to unreadable by normal users).
Comment 2 Tim Potter 2007-06-29 01:46:17 EDT
This seems to be an extension of the policy that only the pegasus user is
allowed to access resources over the network - on the command line only the
pegasus user (or members of the pegasus group) are allowed to run the command
line utilities.

There are a few utilities other than than wbemexec that have inappropriate
permissions.  Having stuff in /usr/bin not a+rx doesn't increase security and
just annoys regular users.

-rwxr-x--- 1 root pegasus   72560 Jan 12 10:31 /usr/bin/cimmof
-rwxr-x--- 1 root pegasus   72560 Jan 12 10:31 /usr/bin/cimmofl
-rwxr-x--- 1 root pegasus  141024 Jan 12 10:31 /usr/bin/cimprovider
-rwxr-x--- 1 root pegasus   92768 Jan 12 10:31 /usr/bin/osinfo
-rwxr-x--- 1 root pegasus  177272 Jan 12 10:31 /usr/bin/wbemexec
drwxr-x--- 2 root pegasus    4096 Jan 12 10:31 /usr/lib/cmpi
drwxr-x--- 3 root pegasus    4096 Jan 12 10:31 /usr/lib/Pegasus
drwxr-x--- 2 root pegasus    4096 Jun 28 08:56 /usr/lib/Pegasus/providers
-rwxr-x--- 1 root pegasus  122528 Jan 12 10:31 /usr/sbin/cimauth
-rwxr-x--- 1 root pegasus  156984 Jan 12 10:31 /usr/sbin/cimconfig
-rwxr-x--- 1 root pegasus   91608 Jan 12 10:31 /usr/sbin/cimserver
-rwxr-x--- 1 root pegasus  130288 Jan 12 10:31 /usr/sbin/cimuser
-rwxr-x--- 1 root pegasus  225640 Jan 12 10:31 /usr/sbin/repupgrade
drwxr-x--- 2 root pegasus    4096 Jun 26 16:05 /usr/share/Pegasus/scripts
-rwxr-x--- 1 root pegasus    2823 Apr 12  2006 /usr/share/Pegasus/scripts/genOpe
nPegasusSSLCerts
-rwxr-x--- 1 root pegasus    1615 Jul 13  2005 /usr/share/Pegasus/scripts/init_r
epository
-rwxr-x--- 1 root pegasus     866 Sep 24  2004 /usr/share/Pegasus/scripts/settog

Note You need to log in before you can comment on or make changes to this bug.