Red Hat Bugzilla – Bug 496737
rpmlint incorrectly treats setuid /usr/kerberos/bin/ksu as an error
Last modified: 2010-10-26 14:43:40 EDT
When run against the krb5-workstation package, rpmlint-0.87-1.fc11 is printing an error that /usr/kerberos/bin/ksu is setuid. This binary's been setuid since FC5, and the security response team should already have it in their whitelist.
All we can do about this is to filter the message out in the Fedora rpmlint config. But I would like to do that for all "known good" setuid/setgid executables while at it. Is the security response team's whitelist available in public so I could use it to add the exceptions?
The list isn't public yet. I'm happy to maintain the list for our rpmlint config. Just help me understand what is needed.
(In reply to comment #2)
> The list isn't public yet. I'm happy to maintain the list for our rpmlint
> config. Just help me understand what is needed.
For each whitelisted setuid/setgid executable, we'll want to mute two rpmlint messages, the setuid/setgid one, and the non-standard-executable-perm one. For example:
krb5-workstation.x86_64: E: setuid-binary /usr/kerberos/bin/ksu root 04755
krb5-workstation.x86_64: E: non-standard-executable-perm /usr/kerberos/bin/ksu 04755
These would be filtered out in rpmlint's config (/usr/share/rpmlint/config when installed, rpmlint.config in CVS) for example with:
addFilter("krb5-workstation.+ (setuid-binary|non-standard-executable-perm) /usr/kerberos/bin/ksu (root )?04755")
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.
More information and reason for this action is here:
rpmlint-0.89-1.fc11 has been submitted as an update for Fedora 11.
rpmlint-0.89-1.fc10 has been submitted as an update for Fedora 10.
rpmlint-0.90-1.fc11 has been submitted as an update for Fedora 11.
rpmlint-0.90-1.fc10 has been submitted as an update for Fedora 10.
Setting needinfo for comments 2 and 3.
rpmlint-0.90-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
rpmlint-0.90-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '11'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 11's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 11 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
Still waiting for feedback to comment 2 and comment 3 from Josh or other security response team members.
No progress with the whitelist yet, and bug 646455 will in my opinion make this feature moot in rpmlint, so closing as WONTFIX.
Bug 646455 was just closed/notabug, but I don't know whether that means we reopen this or just let it go.
(In reply to comment #15)
> Bug 646455 was just closed/notabug
Um, no it wasn't :) https://bugzilla.redhat.com/show_activity.cgi?id=646455
But there is a bit of new development/discussion in it which kind of implements what was requested in this bug (from comment 1 onwards) so WONTFIX might not be entirely accurate, but I don't think we need two bugs open for practically the same thing, especially considering that the original reported issue in this bug report has already been taken care of and it looks like the fix will not be removed.
Right you are. My apologies. I was thinking of bug #646477.