Bug 646455 - Can RPMLint notice setuid apps and recommend using file capabilties
Can RPMLint notice setuid apps and recommend using file capabilties
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: rpmlint (Show other bugs)
rawhide
Unspecified Unspecified
low Severity medium
: ---
: ---
Assigned To: Ville Skyttä
Fedora Extras Quality Assurance
:
Depends On:
Blocks: removesetuid
  Show dependency treegraph
 
Reported: 2010-10-25 09:09 EDT by Daniel Walsh
Modified: 2011-04-05 09:10 EDT (History)
4 users (show)

See Also:
Fixed In Version: rpmlint-1.0-1.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-10 16:50:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2010-10-25 09:09:34 EDT
Description of problem:

I have proposed a feature for F15 to remove all setuid apps and replace them with file capabilities.   As part of this effort, I would like to get rpmlint to report a warning on setuid and recommend they use file capabilities.

https://fedoraproject.org/wiki/Features/RemoveSETUID
Comment 1 Ville Skyttä 2010-10-25 13:43:49 EDT
rpmlint already reports errors about setuid binaries, for example:

$ rpmlint util-linux-ng | grep setuid-binary
util-linux-ng.x86_64: E: setuid-binary /usr/bin/chsh root 04711L
util-linux-ng.x86_64: E: setuid-binary /bin/mount root 04755L
util-linux-ng.x86_64: E: setuid-binary /usr/bin/chfn root 04711L
util-linux-ng.x86_64: E: setuid-binary /bin/umount root 04755L

I just added a note about file capabilities to the info message upstream:
http://rpmlint.zarb.org/cgi-bin/trac.cgi/changeset/1810

Previously there was a thought that we'd start collecting a "whitelist" of allowed setuid binaries (see bug 496737) but I suppose this Feature will make that point moot.

There's only one setuid executable (/usr/kerberos/bin/ksu) whitelisted in the current Fedora rpmlint package; that whitelisting should be removed.
Comment 2 Daniel Walsh 2010-10-25 15:33:46 EDT
No I think we are going to have to allow a few,  su, sudo, consolehelper, ksu.
Comment 3 Ville Skyttä 2010-10-25 16:42:33 EDT
Ok, I'll add su and sudo (and sudoedit) to the whitelist instead.  Don't know about consolehelper, FWIW /usr/bin/consolehelper is not setuid here (F-13).

$ ls -l /usr/bin/consolehelper*
-rwxr-xr-x 1 root root  9048 Mar 26  2010 /usr/bin/consolehelper
-rwxr-xr-x 1 root root 42072 Mar 26  2010 /usr/bin/consolehelper-gtk
Comment 4 Daniel Walsh 2010-10-26 08:47:37 EDT
-rws--x--x. 1 root root 43856 Sep 29 19:18 /usr/sbin/userhelper

Some of the other requests are being rejected also.  passwd, and initctl?
Comment 5 Ville Skyttä 2010-10-26 14:05:01 EDT
(In reply to comment #4)
> -rws--x--x. 1 root root 43856 Sep 29 19:18 /usr/sbin/userhelper

Ah, userhelper, not consolehelper.

> Some of the other requests are being rejected also.  passwd, and initctl?

Not sure what you mean by that - if you're asking me whether those should be whitelisted or not, I'm sure you're more qualified to tell it than I am.

Anyway this is what I currently have in store for the next rpmlint package's default config, you can try it out by inserting it into your ~/.config/rpmlint:

# https://bugzilla.redhat.com/496737, https://bugzilla.redhat.com/646455
for pkg, exe in (("coreutils", "/bin/su"),
                 ("krb5-workstation", "/usr/kerberos/bin/ksu"),
                 ("passwd", "/usr/bin/passwd"),
                 ("sudo", "/usr/sbin/sudo(edit)?"),
                 ("upstart", "/sbin/initctl"),
                 ("usermode", "/usr/sbin/userhelper")):
    addFilter("%s.* (setuid-binary|non-standard-executable-perm) %s (root )?04"
              % (pkg, exe))
Comment 6 Ville Skyttä 2010-10-26 14:10:51 EDT
(In reply to comment #5)
>                  ("sudo", "/usr/sbin/sudo(edit)?"),

This should be /usr/bin, not /usr/sbin.
Comment 7 Fedora Update System 2010-11-01 17:50:51 EDT
rpmlint-1.0-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/rpmlint-1.0-1.fc14
Comment 8 Fedora Update System 2010-11-02 18:15:24 EDT
rpmlint-1.0-1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update rpmlint'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/rpmlint-1.0-1.fc14
Comment 9 Fedora Update System 2010-11-10 16:49:49 EST
rpmlint-1.0-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.