On Mon, 15 December 2008 Carsten Haitzler (The Rasterman) wrote: > On Sun, 14 Dec 2008 12:25:50 -0200 "Gustavo Sverzut Barbieri" babbled: > > On Sun, Dec 14, 2008 at 3:48 AM, sda wrote: > > > hi guys! > > > > > > here comes a long story, sorry for that. openSUSE will release > > > version 11.1 soon and this release has a new system of 'brp' > > > checks which are a bit similar to 'rpmlint' but could not be > > > disabled. yes, i can override this checks, but this is "illegal". > > > in general, now OBS (OpenSUSE Build Service) has a single quality > > > standards for all packages and for all packagers as well (tep, > > > this is a theory or declared note). > > > > > > i'm trying to keep up Enlightenment repo for openSUSE in a good > > > shape and for an upcoming version 11.1 following issues appeared: > > > > > > E17.i586: E: permissions-file-setuid-bit (Badness: > > > 10000) /usr/bin/enlightenment_sys is packaged with setuid/setgid > > > bits (04555) > > > > this is tricky, commands defined in sysactions.conf need to be > > executed as root (shutdown, reboot, hibernate...). > > > > do you know how opensuse expect those to be done? how gnome/kde do > > that? > > as such this needs to be setuid as it needs to be able to run > shutdown/reboot (or other root-only system actions). there is a whole > config defining what these actions run (script/command-wise) > in /etc/enlightenment/sysactions.conf - this file is meant to be > customised by integrators where appropriate). but the setuid is > required for this to work. sure you can jump through hoops and create > a root or setuid daemon you use dbus or some for of ipc with too - > but one way or another it requires root perms in the end, and this > util accomplishes that. so basically it needs to be kept as setuid. > > > > E17.i586: E: permissions-file-setuid-bit (Badness: > > > 10000) /usr/lib/enlightenment/modules/cpufreq/linux-gnu-i686/freqset > > > is packaged with setuid/setgid bits (04555) Please remove the > > > setuid/setgid bits or contact secur...@suse.de for review. > > > > i know we can just set frequency using some system utilities like > > those dbus daemons some systems have. Then we can just remove this > > suid and rely on policykit or similar for authorization. > > we can - but non-dbus users will see functionality go away. it's > needed to be setuid so you can change cpu frequency policy or > manually change it - this util does only that and nothing more. it'd > need to be kept for compatibility anyway.
They could avoid the SUID bit if capabilities were supported... Then it's just a matter of setting the right file-capabilities for enlightenment_sys instead of SUID. Looking at the code it checks for uid==0 and gid==0 though it would rather be good to check for required capabilities (using libcap) only. e.g. shutdown, reboot, halt should have enough with CAP_BOOT Bruno ------------------------------------------------------------------------------ _______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
