366711 – mock --version -> /usr/bin/mock: Permission denied

Bug 366711 - mock --version -> /usr/bin/mock: Permission denied

Summary: mock --version -> /usr/bin/mock: Permission denied

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	mock
Sub Component:
Version:	7
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	David Cantrell
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-11-05 13:09 UTC by Ralf Corsepius
Modified:	2013-01-10 01:43 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-11-06 16:44:02 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Ralf Corsepius 2007-11-05 13:09:02 UTC

Description of problem:
# mock --version
bash: /usr/bin/mock: Permission denied

Version-Release number of selected component (if applicable):
mock-0.8.4-2.fc7

How reproducible:
Deterministic

Steps to Reproduce:
run "mock --version".
  
Expected results:
"mock --version" to return the version number.

Additional info:
AFAICT, this issue is caused by users who are not members of to "mock" group.

This bug prevents using "mock --version" to examine the version of mock, in
scripts to install mock-addons, configure scripts etc. because accounts running
such scripts aren't necessarily members of the "mock"-group or root.

Comment 1 Michael E Brown 2007-11-06 16:44:02 UTC

Wontfix: The only way I can see to fix this is to write a non-setuid wrapper for
the setuid wrapper. The only purpose of the non-setuid wrapper would be to check
if --version is specified and print it, otherwise it would exec the setuid wrapper.

This is a pretty silly, so the final answer is going to be:
"You must be a member of the 'mock' group in order to do *anything* with mock"

The alternative: "rpm -q mock"

Comment 2 Michael E Brown 2007-11-06 16:50:38 UTC

The other alternative would have been to move the check for proper group
ownership inside of the setuid wrapper. This alternative has been considered and
rejected as it would require hardcoding the group name inside the executable and
would not allow administrators to reconfigure the system for site-local policy.
(eg. remove setuid and require root access, add permissions for other groups,
acls, etc.)

Comment 3 Ralf Corsepius 2007-11-06 17:01:59 UTC

(In reply to comment #1)
> Wontfix: The only way I can see to fix this is to write a non-setuid wrapper
for the setuid wrapper.

A program not being able to invoked by arbitrary users simply is mal-designed.

If you want it formally: A program not supporting --version, --help and requires
a special id/uid violates the GNU coding standards.


> This is a pretty silly, so the final answer is going to be:
> "You must be a member of the 'mock' group in order to do *anything* with mock"
No THAT IS SILLY.
 
> The alternative: "rpm -q mock"
And this is SILLY, too.

Comment 4 Michael E Brown 2007-12-10 23:05:50 UTC

changed in mock 0.9.0. There is no more setuid wrapper. /usr/bin/mock is a link
to consolehelper and /usr/sbin/mock is what used to be mock.py.

Mock now follows the conventions that all other consolehelper programs use.

You can now run "/usr/bin/mock --version" as an arbitratry user. It requires
root password or membership in 'mock' group before it will continue, though. You
can run /usr/sbin/mock directly if you want. The "--version" param will work as
non-root.

Current plan is to leave 0.9.x in F-9 for a while (month or so) before
backporting to F-8/F-7.

Note You need to log in before you can comment on or make changes to this bug.