Hello,
please check https://bugzilla.redhat.com/show_bug.cgi?id=334311, Comment
#27. After discussion with sec guys here I sent it for the review to our
security standards team.
So this change will not be released without review.
Regards,
martin
Thorsten Leemhuis wrote:
On 26.10.2007 10:44, Martin Stransky (stransky) wrote:
Author: stransky
Martin, please don't take the mail as offense. Your commit just reminded
me of something I wanted to bring up.
Update of /cvs/pkgs/rpms/nspluginwrapper/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21292
Modified Files:
nspluginwrapper.spec
Added Files:
plugin-config-setuid.patch
Log Message:
* Fri Oct 26 2007 Martin Stransky <stransky@xxxxxxxxxx> 0.9.91.5-10
- mozilla-plugin-config can be run by normal user now
plugin-config-setuid.patch:
--- NEW FILE plugin-config-setuid.patch ---
--- mozilla/plugin-config-1.6/src/Makefile.in.old 2007-07-24 13:28:56.000000000 +0200
+++ mozilla/plugin-config-1.6/src/Makefile.in 2007-07-24 13:47:24.000000000 +0200
@@ -44,7 +44,7 @@ mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
am__installdirs = "$(DESTDIR)$(bindir)"
-binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -m 4755
PROGRAMS = $(bin_PROGRAMS)
am_mozilla_plugin_config_OBJECTS = plugin-config.$(OBJEXT) \
plugin-detection.$(OBJEXT) plugin-dir.$(OBJEXT)
We should try to avoid to much bureaucracy, but well, I feel a bit
uncomfortable with to many SUID apps in Fedora. Should we track them
somehow (a script that looks at the repo could likely create such a
list) and review the list now and then?
Or put at least a little hurdle between SUID bits and the Fedora-repo
with a "SUID apps must be reviewed/permitted by FOO" rule or something
like that?
Just wondering.
CU
knurd
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
