Description of problem: # mock --version bash: /usr/bin/mock: Permission denied Version-Release number of selected component (if applicable): mock-0.8.4-2.fc7 How reproducible: Deterministic Steps to Reproduce: run "mock --version". Expected results: "mock --version" to return the version number. Additional info: AFAICT, this issue is caused by users who are not members of to "mock" group. This bug prevents using "mock --version" to examine the version of mock, in scripts to install mock-addons, configure scripts etc. because accounts running such scripts aren't necessarily members of the "mock"-group or root.
Wontfix: The only way I can see to fix this is to write a non-setuid wrapper for the setuid wrapper. The only purpose of the non-setuid wrapper would be to check if --version is specified and print it, otherwise it would exec the setuid wrapper. This is a pretty silly, so the final answer is going to be: "You must be a member of the 'mock' group in order to do *anything* with mock" The alternative: "rpm -q mock"
The other alternative would have been to move the check for proper group ownership inside of the setuid wrapper. This alternative has been considered and rejected as it would require hardcoding the group name inside the executable and would not allow administrators to reconfigure the system for site-local policy. (eg. remove setuid and require root access, add permissions for other groups, acls, etc.)
(In reply to comment #1) > Wontfix: The only way I can see to fix this is to write a non-setuid wrapper for the setuid wrapper. A program not being able to invoked by arbitrary users simply is mal-designed. If you want it formally: A program not supporting --version, --help and requires a special id/uid violates the GNU coding standards. > This is a pretty silly, so the final answer is going to be: > "You must be a member of the 'mock' group in order to do *anything* with mock" No THAT IS SILLY. > The alternative: "rpm -q mock" And this is SILLY, too.
changed in mock 0.9.0. There is no more setuid wrapper. /usr/bin/mock is a link to consolehelper and /usr/sbin/mock is what used to be mock.py. Mock now follows the conventions that all other consolehelper programs use. You can now run "/usr/bin/mock --version" as an arbitratry user. It requires root password or membership in 'mock' group before it will continue, though. You can run /usr/sbin/mock directly if you want. The "--version" param will work as non-root. Current plan is to leave 0.9.x in F-9 for a while (month or so) before backporting to F-8/F-7.