Bug 366711 - mock --version -> /usr/bin/mock: Permission denied
mock --version -> /usr/bin/mock: Permission denied
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: mock (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: David Cantrell
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-05 08:09 EST by Ralf Corsepius
Modified: 2013-01-09 20:43 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-06 11:44:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ralf Corsepius 2007-11-05 08:09:02 EST
Description of problem:
# mock --version
bash: /usr/bin/mock: Permission denied

Version-Release number of selected component (if applicable):
mock-0.8.4-2.fc7

How reproducible:
Deterministic

Steps to Reproduce:
run "mock --version".
  
Expected results:
"mock --version" to return the version number.

Additional info:
AFAICT, this issue is caused by users who are not members of to "mock" group.

This bug prevents using "mock --version" to examine the version of mock, in
scripts to install mock-addons, configure scripts etc. because accounts running
such scripts aren't necessarily members of the "mock"-group or root.
Comment 1 Michael E Brown 2007-11-06 11:44:02 EST
Wontfix: The only way I can see to fix this is to write a non-setuid wrapper for
the setuid wrapper. The only purpose of the non-setuid wrapper would be to check
if --version is specified and print it, otherwise it would exec the setuid wrapper.

This is a pretty silly, so the final answer is going to be:
"You must be a member of the 'mock' group in order to do *anything* with mock"

The alternative: "rpm -q mock"
Comment 2 Michael E Brown 2007-11-06 11:50:38 EST
The other alternative would have been to move the check for proper group
ownership inside of the setuid wrapper. This alternative has been considered and
rejected as it would require hardcoding the group name inside the executable and
would not allow administrators to reconfigure the system for site-local policy.
(eg. remove setuid and require root access, add permissions for other groups,
acls, etc.)
Comment 3 Ralf Corsepius 2007-11-06 12:01:59 EST
(In reply to comment #1)
> Wontfix: The only way I can see to fix this is to write a non-setuid wrapper
for the setuid wrapper.

A program not being able to invoked by arbitrary users simply is mal-designed.

If you want it formally: A program not supporting --version, --help and requires
a special id/uid violates the GNU coding standards.


> This is a pretty silly, so the final answer is going to be:
> "You must be a member of the 'mock' group in order to do *anything* with mock"
No THAT IS SILLY.
 
> The alternative: "rpm -q mock"
And this is SILLY, too.
Comment 4 Michael E Brown 2007-12-10 18:05:50 EST
changed in mock 0.9.0. There is no more setuid wrapper. /usr/bin/mock is a link
to consolehelper and /usr/sbin/mock is what used to be mock.py.

Mock now follows the conventions that all other consolehelper programs use.

You can now run "/usr/bin/mock --version" as an arbitratry user. It requires
root password or membership in 'mock' group before it will continue, though. You
can run /usr/sbin/mock directly if you want. The "--version" param will work as
non-root.

Current plan is to leave 0.9.x in F-9 for a while (month or so) before
backporting to F-8/F-7.

Note You need to log in before you can comment on or make changes to this bug.