taskotron / task-rpmgrill

Clone
Source Code
GIT

#8 Add /usr/bin/ksu to rpmgrill setxid whitelist
Opened 5 years ago by rharwood. Modified 5 years ago

Open
Close issue as:
Fixed Invalid Duplicate

rpmgrill has a setxid whitelist, as seen here: https://github.com/default-to-open/rpmgrill/blob/master/lib/RPM/Grill/Plugin/Setxid.pm#L37

ksu is not on the whitelist, which causes the failure seen in bodhi: 

            {
               "arch" : "armv7hl,x86_64",
               "code" : "UnauthorizedSetxid",
               "context" : {
                  "path" : "/usr/bin/ksu"
               },
               "diag" : "File <var>/usr/bin/ksu</var> is setuid root but is not on the setxid whitelist.",
               "subpackage" : "krb5-workstation"
            }

ksu has been setuid since 2005 (when package git history starts) and probably since 1996 (when the rpm history begins).

In investigating, I was unable to find out where the whitelist actually lives. Since there isn't one here, and I assume we're not just flagging every setuid binary in the distro with this test (right?), I'm opening this ticket in the hopes that you'll know where the whitelist is, or the proper procedure for adding to it.

Thanks!

Hmm, I guess there really is no distro-wide rpmgrill config. We certainly don't ship one in our Taskotron task. I think the ideal situation would be to use the same approach as with rpmlint, i.e. add a Fedora-specific config into the rpm. Would you care to ask the package maintainer, and share the ticket link here? Thanks a lot.

Sure, opened rhbz.

Login to comment on this ticket.

Metadata
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.