On Sun, 14 Dec 2008 12:25:50 -0200 "Gustavo Sverzut Barbieri" <barbi...@profusion.mobi> babbled:
> On Sun, Dec 14, 2008 at 3:48 AM, sda <dmitry.serpok...@gmail.com> wrote: > > hi guys! > > > > here comes a long story, sorry for that. openSUSE will release version > > 11.1 soon and this release has a new system of 'brp' checks which are a > > bit similar to 'rpmlint' but could not be disabled. yes, i can override > > this checks, but this is "illegal". in general, now OBS (OpenSUSE Build > > Service) has a single quality standards for all packages and for all > > packagers as well (tep, this is a theory or declared note). > > > > i'm trying to keep up Enlightenment repo for openSUSE in a good shape > > and for an upcoming version 11.1 following issues appeared: > > > > E17.i586: E: permissions-file-setuid-bit (Badness: > > 10000) /usr/bin/enlightenment_sys is packaged with setuid/setgid bits > > (04555) > > this is tricky, commands defined in sysactions.conf need to be > executed as root (shutdown, reboot, hibernate...). > > do you know how opensuse expect those to be done? how gnome/kde do that? as such this needs to be setuid as it needs to be able to run shutdown/reboot (or other root-only system actions). there is a whole config defining what these actions run (script/command-wise) in /etc/enlightenment/sysactions.conf - this file is meant to be customised by integrators where appropriate). but the setuid is required for this to work. sure you can jump through hoops and create a root or setuid daemon you use dbus or some for of ipc with too - but one way or another it requires root perms in the end, and this util accomplishes that. so basically it needs to be kept as setuid. > > E17.i586: E: permissions-file-setuid-bit (Badness: > > 10000) /usr/lib/enlightenment/modules/cpufreq/linux-gnu-i686/freqset is > > packaged with setuid/setgid bits (04555) Please remove the setuid/setgid > > bits or contact secur...@suse.de for review. > > i know we can just set frequency using some system utilities like > those dbus daemons some systems have. Then we can just remove this > suid and rely on policykit or similar for authorization. we can - but non-dbus users will see functionality go away. it's needed to be setuid so you can change cpu frequency policy or manually change it - this util does only that and nothing more. it'd need to be kept for compatibility anyway. so i'd suggest you "contact secur...@suse.de" :) as these are setuid for a reason. as such cpufreq switching is fairly harmless (the security nuts of course will jump up and down, but i disagree with them. if you install e on a shared server - you disable any form of cpufreq in the kernel anyway. if you use it on a desktop/laptop - you don't allow remote logins anyway - or those you do are for trusted users anyway). enlightenment_sys can be dangerous as it allows shutdown/reboot - actions with dramatically impact the system, and thus it has a whole permission config setup. :) -- ------------- Codito, ergo sum - "I code, therefore I am" -------------- The Rasterman (Carsten Haitzler) ras...@rasterman.com ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
