Bug 496737 - rpmlint incorrectly treats setuid /usr/kerberos/bin/ksu as an error
Summary: rpmlint incorrectly treats setuid /usr/kerberos/bin/ksu as an error
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: rpmlint
Version: 13
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Ville Skyttä
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-20 21:12 UTC by Nalin Dahyabhai
Modified: 2010-10-26 18:43 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-10-25 17:45:17 UTC


Attachments (Terms of Use)

Description Nalin Dahyabhai 2009-04-20 21:12:52 UTC
When run against the krb5-workstation package, rpmlint-0.87-1.fc11 is printing an error that /usr/kerberos/bin/ksu is setuid.  This binary's been setuid since FC5, and the security response team should already have it in their whitelist.

Comment 1 Ville Skyttä 2009-05-18 19:14:28 UTC
All we can do about this is to filter the message out in the Fedora rpmlint config.  But I would like to do that for all "known good" setuid/setgid executables while at it.  Is the security response team's whitelist available in public so I could use it to add the exceptions?

Comment 2 Josh Bressers 2009-05-19 13:36:48 UTC
The list isn't public yet. I'm happy to maintain the list for our rpmlint config. Just help me understand what is needed.

Thanks.

Comment 3 Ville Skyttä 2009-05-21 09:00:27 UTC
(In reply to comment #2)
> The list isn't public yet. I'm happy to maintain the list for our rpmlint
> config. Just help me understand what is needed.

For each whitelisted setuid/setgid executable, we'll want to mute two rpmlint messages, the setuid/setgid one, and the non-standard-executable-perm one.  For example:

krb5-workstation.x86_64: E: setuid-binary /usr/kerberos/bin/ksu root 04755
krb5-workstation.x86_64: E: non-standard-executable-perm /usr/kerberos/bin/ksu 04755

These would be filtered out in rpmlint's config (/usr/share/rpmlint/config when installed, rpmlint.config in CVS) for example with:

addFilter("krb5-workstation.+ (setuid-binary|non-standard-executable-perm) /usr/kerberos/bin/ksu (root )?04755")

Comment 4 Bug Zapper 2009-06-09 14:14:52 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 5 Fedora Update System 2009-06-21 22:00:56 UTC
rpmlint-0.89-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/rpmlint-0.89-1.fc11

Comment 6 Fedora Update System 2009-06-21 22:02:13 UTC
rpmlint-0.89-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/rpmlint-0.89-1.fc10

Comment 7 Fedora Update System 2009-06-29 15:46:23 UTC
rpmlint-0.90-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/rpmlint-0.90-1.fc11

Comment 8 Fedora Update System 2009-06-29 15:48:40 UTC
rpmlint-0.90-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/rpmlint-0.90-1.fc10

Comment 9 Ville Skyttä 2009-07-13 05:12:50 UTC
Setting needinfo for comments 2 and 3.

Comment 10 Fedora Update System 2009-07-16 07:26:59 UTC
rpmlint-0.90-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2009-07-16 07:29:36 UTC
rpmlint-0.90-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Bug Zapper 2010-04-27 13:49:40 UTC
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 13 Ville Skyttä 2010-04-27 18:08:11 UTC
Still waiting for feedback to comment 2 and comment 3 from Josh or other security response team members.

Comment 14 Ville Skyttä 2010-10-25 17:45:17 UTC
No progress with the whitelist yet, and bug 646455 will in my opinion make this feature moot in rpmlint, so closing as WONTFIX.

Comment 15 Nalin Dahyabhai 2010-10-26 13:46:21 UTC
Bug 646455 was just closed/notabug, but I don't know whether that means we reopen this or just let it go.

Comment 16 Ville Skyttä 2010-10-26 17:54:02 UTC
(In reply to comment #15)
> Bug 646455 was just closed/notabug

Um, no it wasn't :)  https://bugzilla.redhat.com/show_activity.cgi?id=646455

But there is a bit of new development/discussion in it which kind of implements what was requested in this bug (from comment 1 onwards) so WONTFIX might not be entirely accurate, but I don't think we need two bugs open for practically the same thing, especially considering that the original reported issue in this bug report has already been taken care of and it looks like the fix will not be removed.

Comment 17 Nalin Dahyabhai 2010-10-26 18:43:40 UTC
Right you are.  My apologies.  I was thinking of bug #646477.


Note You need to log in before you can comment on or make changes to this bug.