Red Hat Bugzilla – Bug 366711
mock --version -> /usr/bin/mock: Permission denied
Last modified: 2013-01-09 20:43:12 EST
Description of problem:
# mock --version
bash: /usr/bin/mock: Permission denied
Version-Release number of selected component (if applicable):
Steps to Reproduce:
run "mock --version".
"mock --version" to return the version number.
AFAICT, this issue is caused by users who are not members of to "mock" group.
This bug prevents using "mock --version" to examine the version of mock, in
scripts to install mock-addons, configure scripts etc. because accounts running
such scripts aren't necessarily members of the "mock"-group or root.
Wontfix: The only way I can see to fix this is to write a non-setuid wrapper for
the setuid wrapper. The only purpose of the non-setuid wrapper would be to check
if --version is specified and print it, otherwise it would exec the setuid wrapper.
This is a pretty silly, so the final answer is going to be:
"You must be a member of the 'mock' group in order to do *anything* with mock"
The alternative: "rpm -q mock"
The other alternative would have been to move the check for proper group
ownership inside of the setuid wrapper. This alternative has been considered and
rejected as it would require hardcoding the group name inside the executable and
would not allow administrators to reconfigure the system for site-local policy.
(eg. remove setuid and require root access, add permissions for other groups,
(In reply to comment #1)
> Wontfix: The only way I can see to fix this is to write a non-setuid wrapper
for the setuid wrapper.
A program not being able to invoked by arbitrary users simply is mal-designed.
If you want it formally: A program not supporting --version, --help and requires
a special id/uid violates the GNU coding standards.
> This is a pretty silly, so the final answer is going to be:
> "You must be a member of the 'mock' group in order to do *anything* with mock"
No THAT IS SILLY.
> The alternative: "rpm -q mock"
And this is SILLY, too.
changed in mock 0.9.0. There is no more setuid wrapper. /usr/bin/mock is a link
to consolehelper and /usr/sbin/mock is what used to be mock.py.
Mock now follows the conventions that all other consolehelper programs use.
You can now run "/usr/bin/mock --version" as an arbitratry user. It requires
root password or membership in 'mock' group before it will continue, though. You
can run /usr/sbin/mock directly if you want. The "--version" param will work as
Current plan is to leave 0.9.x in F-9 for a while (month or so) before
backporting to F-8/F-7.