Bug 496737 - rpmlint incorrectly treats setuid /usr/kerberos/bin/ksu as an error
rpmlint incorrectly treats setuid /usr/kerberos/bin/ksu as an error
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: rpmlint (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Ville Skyttä
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-20 17:12 EDT by Nalin Dahyabhai
Modified: 2010-10-26 14:43 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-25 13:45:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Nalin Dahyabhai 2009-04-20 17:12:52 EDT
When run against the krb5-workstation package, rpmlint-0.87-1.fc11 is printing an error that /usr/kerberos/bin/ksu is setuid.  This binary's been setuid since FC5, and the security response team should already have it in their whitelist.
Comment 1 Ville Skyttä 2009-05-18 15:14:28 EDT
All we can do about this is to filter the message out in the Fedora rpmlint config.  But I would like to do that for all "known good" setuid/setgid executables while at it.  Is the security response team's whitelist available in public so I could use it to add the exceptions?
Comment 2 Josh Bressers 2009-05-19 09:36:48 EDT
The list isn't public yet. I'm happy to maintain the list for our rpmlint config. Just help me understand what is needed.

Thanks.
Comment 3 Ville Skyttä 2009-05-21 05:00:27 EDT
(In reply to comment #2)
> The list isn't public yet. I'm happy to maintain the list for our rpmlint
> config. Just help me understand what is needed.

For each whitelisted setuid/setgid executable, we'll want to mute two rpmlint messages, the setuid/setgid one, and the non-standard-executable-perm one.  For example:

krb5-workstation.x86_64: E: setuid-binary /usr/kerberos/bin/ksu root 04755
krb5-workstation.x86_64: E: non-standard-executable-perm /usr/kerberos/bin/ksu 04755

These would be filtered out in rpmlint's config (/usr/share/rpmlint/config when installed, rpmlint.config in CVS) for example with:

addFilter("krb5-workstation.+ (setuid-binary|non-standard-executable-perm) /usr/kerberos/bin/ksu (root )?04755")
Comment 4 Bug Zapper 2009-06-09 10:14:52 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Fedora Update System 2009-06-21 18:00:56 EDT
rpmlint-0.89-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/rpmlint-0.89-1.fc11
Comment 6 Fedora Update System 2009-06-21 18:02:13 EDT
rpmlint-0.89-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/rpmlint-0.89-1.fc10
Comment 7 Fedora Update System 2009-06-29 11:46:23 EDT
rpmlint-0.90-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/rpmlint-0.90-1.fc11
Comment 8 Fedora Update System 2009-06-29 11:48:40 EDT
rpmlint-0.90-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/rpmlint-0.90-1.fc10
Comment 9 Ville Skyttä 2009-07-13 01:12:50 EDT
Setting needinfo for comments 2 and 3.
Comment 10 Fedora Update System 2009-07-16 03:26:59 EDT
rpmlint-0.90-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2009-07-16 03:29:36 EDT
rpmlint-0.90-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Bug Zapper 2010-04-27 09:49:40 EDT
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 13 Ville Skyttä 2010-04-27 14:08:11 EDT
Still waiting for feedback to comment 2 and comment 3 from Josh or other security response team members.
Comment 14 Ville Skyttä 2010-10-25 13:45:17 EDT
No progress with the whitelist yet, and bug 646455 will in my opinion make this feature moot in rpmlint, so closing as WONTFIX.
Comment 15 Nalin Dahyabhai 2010-10-26 09:46:21 EDT
Bug 646455 was just closed/notabug, but I don't know whether that means we reopen this or just let it go.
Comment 16 Ville Skyttä 2010-10-26 13:54:02 EDT
(In reply to comment #15)
> Bug 646455 was just closed/notabug

Um, no it wasn't :)  https://bugzilla.redhat.com/show_activity.cgi?id=646455

But there is a bit of new development/discussion in it which kind of implements what was requested in this bug (from comment 1 onwards) so WONTFIX might not be entirely accurate, but I don't think we need two bugs open for practically the same thing, especially considering that the original reported issue in this bug report has already been taken care of and it looks like the fix will not be removed.
Comment 17 Nalin Dahyabhai 2010-10-26 14:43:40 EDT
Right you are.  My apologies.  I was thinking of bug #646477.

Note You need to log in before you can comment on or make changes to this bug.