Bug 446446 - sectool --level 3 doesn't finish
sectool --level 3 doesn't finish
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: sectool (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Peter Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-14 12:45 EDT by Steve Grubb
Modified: 2008-05-28 22:41 EDT (History)
3 users (show)

See Also:
Fixed In Version: 0.7.4-2.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-28 22:41:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2008-05-14 12:45:06 EDT
Description of problem:
When running level 3 and higher tests, it never finishes. With --debug, you see
that its in home_files test and appears to finish testing root. Then getting the
next user, it outputs:

testing user "systderr from filesystem: find: '/libexec' : No such file or directory

stderr from filesystem: /usr/bin/stat: cannot stat '/tmp/sh-thd-1210787222' : No
such file or directory

There is no closing double-quote. Running strace shows its looping between
select and wait4.


Version-Release number of selected component (if applicable):
0.7.3-1.fc10

How reproducible:
every time

Steps to Reproduce:
1. sectool --level 3
Comment 1 Jakub Hrozek 2008-05-15 08:08:01 EDT
Both home_files and running a level work for me fine.. Can you please re-run 
without the home_files test (sectool --level 3 --exclude home_files). Can you 
check that the test is still running after sectool "freezes"? (just ps aux | 
grep home_files.sh)
Comment 2 Steve Grubb 2008-05-15 11:03:44 EDT
I upgraded some packages yesterday. Today its acting better. I no longer see the
bad user name.

When it "hangs" now, I ran ps and see that its executing sh
/usr/share/sectool/tests/filesystem

I see it looping over and over doing something with files. But the text on the
screen is half finished looking like it broke. Maybe it needs a fflush of stdout
to get the screen updated with what its really doing. Also maybe a warning about
this test taking a while to run is in order?

In the filesystem test, I see a message that says a file is world/group
writable. Its only group writable, not world writable. There is a big difference
security-wise between world and group writable. :) The message should reflect
what it really is.

The selinux test says its disabled or in the wrong mode. What's wrong about
permissive? I think the message should say what mode its in and not be vague
about it. Permissive is slightly better than disabled, but its not wrong. :)

It also still can't differentiate between symlinks and files when it reports
world writable in the alias test. Alias halt is a good example since poweroff is
a symlink.

I wanted to give you feedback on a level 5 run too, but its been running for 2-3
hours now in the filesystem test. I'll give more feedback when it finally
finishes. I have a feeling this should be a C program and not shell scripts. :)
Comment 3 Daniel Kopeček 2008-05-16 08:54:01 EDT
(In reply to comment #2)
> I upgraded some packages yesterday. Today its acting better. I no longer see the
> bad user name.
> 
> When it "hangs" now, I ran ps and see that its executing sh
> /usr/share/sectool/tests/filesystem
> 
> I see it looping over and over doing something with files. But the text on the
> screen is half finished looking like it broke. Maybe it needs a fflush of stdout
> to get the screen updated with what its really doing. Also maybe a warning about
> this test taking a while to run is in order?
> 
> In the filesystem test, I see a message that says a file is world/group
> writable. Its only group writable, not world writable. There is a big difference
> security-wise between world and group writable. :) The message should reflect
> what it really is.

Could you please post the exact message? The world/group message should appear
only if the file is world/group writable AND world/group executable - and that
is IMHO ok, because a executable file shouldn't be writable for a group - unless
you trust everyone in the group :]. There is separate test for world-writable
files and dirs.

> The selinux test says its disabled or in the wrong mode. What's wrong about
> permissive? I think the message should say what mode its in and not be vague
> about it. Permissive is slightly better than disabled, but its not wrong. :)
> 
> It also still can't differentiate between symlinks and files when it reports
> world writable in the alias test. Alias halt is a good example since poweroff is
> a symlink.
> 
> I wanted to give you feedback on a level 5 run too, but its been running for 2-3
> hours now in the filesystem test. I'll give more feedback when it finally
> finishes. I have a feeling this should be a C program and not shell scripts. :)

Yes. I'm rewriting it to C now.
Comment 4 Michel Samia 2008-05-21 08:58:19 EDT
ad aliases: it is now fixed in git
Comment 5 Fedora Update System 2008-05-22 08:59:41 EDT
sectool-0.7.4-2.fc9 has been submitted as an update for Fedora 9
Comment 6 Fedora Update System 2008-05-28 22:41:57 EDT
sectool-0.7.4-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.