On 10:09 Mon 15 Dec , Carsten Haitzler wrote:
> On Sun, 14 Dec 2008 12:25:50 -0200 "Gustavo Sverzut Barbieri"
> <barbi...@profusion.mobi> babbled:
>
> > On Sun, Dec 14, 2008 at 3:48 AM, sda <dmitry.serpok...@gmail.com> wrote:
> > > hi guys!
> > >
> > > here comes a long story, sorry for that. openSUSE will release version
> > > 11.1 soon and this release has a new system of 'brp' checks which are a
> > > bit similar to 'rpmlint' but could not be disabled. yes, i can override
> > > this checks, but this is "illegal". in general, now OBS (OpenSUSE Build
> > > Service) has a single quality standards for all packages and for all
> > > packagers as well (tep, this is a theory or declared note).
> > >
> > > i'm trying to keep up Enlightenment repo for openSUSE in a good shape
> > > and for an upcoming version 11.1 following issues appeared:
> > >
> > > E17.i586: E: permissions-file-setuid-bit (Badness:
> > > 10000) /usr/bin/enlightenment_sys is packaged with setuid/setgid bits
> > > (04555)
> >
> > this is tricky, commands defined in sysactions.conf need to be
> > executed as root (shutdown, reboot, hibernate...).
> >
> > do you know how opensuse expect those to be done? how gnome/kde do that?
>
> as such this needs to be setuid as it needs to be able to run shutdown/reboot
> (or other root-only system actions). there is a whole config defining what
> these actions run (script/command-wise) in /etc/enlightenment/sysactions.conf
> -
> this file is meant to be customised by integrators where appropriate). but the
> setuid is required for this to work. sure you can jump through hoops and
> create
> a root or setuid daemon you use dbus or some for of ipc with too - but one way
> or another it requires root perms in the end, and this util accomplishes that.
> so basically it needs to be kept as setuid.
>
> > > E17.i586: E: permissions-file-setuid-bit (Badness:
> > > 10000) /usr/lib/enlightenment/modules/cpufreq/linux-gnu-i686/freqset is
> > > packaged with setuid/setgid bits (04555) Please remove the setuid/setgid
> > > bits or contact secur...@suse.de for review.
> >
> > i know we can just set frequency using some system utilities like
> > those dbus daemons some systems have. Then we can just remove this
> > suid and rely on policykit or similar for authorization.
>
> we can - but non-dbus users will see functionality go away. it's needed to be
> setuid so you can change cpu frequency policy or manually change it - this
> util
> does only that and nothing more. it'd need to be kept for compatibility
> anyway.
>
> so i'd suggest you "contact secur...@suse.de" :) as these are setuid for a
> reason. as such cpufreq switching is fairly harmless (the security nuts of
> course will jump up and down, but i disagree with them. if you install e on a
> shared server - you disable any form of cpufreq in the kernel anyway. if you
> use it on a desktop/laptop - you don't allow remote logins anyway - or those
> you
> do are for trusted users anyway). enlightenment_sys can be dangerous as it
> allows shutdown/reboot - actions with dramatically impact the system, and thus
> it has a whole permission config setup. :)
>
guys, here comes the reply from openSUSE Securuty Team. i'm just
copy-paste it as it is:
sda wrote:
> > another kind request to allow me make a proper build of
> >
> >
> > Enlightenment-DR17 Desktop Shell (Window Manager). i'm again advised
> > to
> >
> > bother you by OBS:
> >
> >
> >
> >
> >
> > E17.i586: E: permissions-file-setuid-bit (Badness: 10000)
> > /usr/bin/enlightenment_sys is packaged with setuid/setgid bits
> > (04555)
> > E17.i586: E: permissions-file-setuid-bit (Badness: 10000)
> > /usr/lib/enlightenment/modules/cpufreq/linux-gnu-i686/freqset is
> >
> > packaged with setuid/setgid bits (04555) Please remove the
> > setuid/setgid
> >
> > bits or contact secur...@suse.de for review.
> >
> >
We normally don't audit packages that are not meant to be included
in openSUSE. If you desperately need those setuid bits you may
suppress the error via rpmlintrc. However, read below why they are
not needed.
> the SUID bit for 'enlightenment_sys' is required to allow user to
>
> shutdown or reboot PC (halt, hybernate or use any defined privileged
>
> action described in '/etc/enlightenment/sysactions.conf' file)
>
There are D-Bus methods in both Hal and ConsoleKit for that. There
is no need to have an extra setuid program. If you want to
seamlessly integrate your program into openSUSE you should invoke
those existing methods instead (no extra privilege needed then).
> > the second SUID points to the:
> >
> >
> > /usr/lib/enlightenment/modules/cpufreq/linux-gnu-i686/freqset
> >
> >
> >
> >
> >
> > and this is part of a 'cpufreq' module which allow Users to change
> > CPU
> >
> > Power policy on the fly (according to the existing governors). this
> > is
> >
> > very useful and nice tool, so it'd be great to add it as an
> > exception
> >
> > (include into a kind of whitelist) for a checks. this module is
> > working
> >
> > for years with Enlightenment-DR17 and Users are get used to have it.
> >
> >
Same as above. Hal provides power management functions. There is
also a command line program 'powersave' that you can call.
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
the answer is amazing, let me explain why:
1-st case (changing CPU governor via recommended 'powersave'):
sda : ~ > whoami
sda
sda : ~ > powersave -O
liblazy (liblazy_dbus_send_method_call:97): Received error reply:
org.freedesktop.hal.power-management.cpufreq no <-- (action, result)
Could not get current CPUFreq governor.
sda : ~ > sudo powersave -O
Current CPUFreq governor: ondemand
2-nd case (changing CPU governor via DBUS with a User privileges):
sda : ~ > whoami
sda
sda : ~ > dbus-send --system --print-reply
--dest=org.freedesktop.Hal /org/freedesktop/Hal/devices/computer
org.freedesktop.Hal.Device.CPUFreq.SetCPUFreqGovernor string:ondemand
Error
org.freedesktop.Hal.Device.CPUFreq.org.freedesktop.Hal.Device.PermissionDeniedByPolicy:
org.freedesktop.hal.power-management.cpufreq no <-- (action, result)
sda : ~ > sudo dbus-send --system --print-reply
--dest=org.freedesktop.Hal /org/freedesktop/Hal/devices/computer
org.freedesktop.Hal.Device.CPUFreq.SetCPUFreqGovernor string:ondemand
method return sender=:1.1 -> dest=:1.76 reply_serial=2
3-rd case (shutting down the PC via DBUS with a User privileges):
sda : ~ > whoami
sda
sda : ~ > dbus-send --system --print-reply
--dest=org.freedesktop.Hal /org/freedesktop/Hal/devices/computer
org.freedesktop.Hal.Device.SystemPowerManagement.Shutdown
Error org.freedesktop.Hal.Device.PermissionDeniedByPolicy:
org.freedesktop.hal.power-management.shutdown no <-- (action, result)
sda : ~ > sudo dbus-send ....... and we're dead in the end :)
as you can see the default policies prohibit running such actions having
only User privileges. all examples are from a PC running openSUSE-11.0
with all latest updates installed.
i'm sure gonna with joy and pleasure report this events back and kindly
ask about some better genius ideas.
guys, are you interested to be in CC: in all the following wonderful
emails with a superior openSUSE Security Team?
as a result i supressed all warnings and building E17 as it should be with
SUID set and enabled.
thank you very much for your kind attention!
regards,
sda
P.S. if this topic is boring for you - please let me know. i'll drop any
further communications with SUSE Security Team and will do whatever
consider necessary to make a nice builds of EFL software for an ordinary
Users. the only potential benefit here for E is that my spec's could be
easily updated to build a packages for all major Linux distributions
with OpenSUSE Build Service (RHEL, FC, xUbuntu, MDK, etc.)
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
enlightenment-devel mailing list
enlightenment-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
