[Bug 912816] Review Request: kyua-testers - Scriptable tester interfaces

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.redhat.com/show_bug.cgi?id=912816

Julio Merino <julio+redhat@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|needinfo?(julio+redhat@mero |
                   |h.net)                      |



--- Comment #7 from Julio Merino <julio+redhat@xxxxxxxxx> ---
Wow, sorry for the looooong delay in replying.  I haven't been paying attention
to neither Kyua nor Fedora for a long time for various personal reasons... and
recently just got back to them.

Regarding the missing-call-to-setgroups-before-setuid warning: it's true that
the code does not call setgroups, but this is not a real "problem".  The code
in the "tester" binaries implements logic to drop privileges for test cases
that request it, but this is _NOT_ intended to be a security feature and is
documented as such.  (Mind you, it's the test that chooses to request lower
privileges, not the user, so this really is not about security.)  Adding a call
to setgroups() would only silence this specific warning but would do nothing to
improve security.  I think this warning just needs to be ignored here.

-- 
You are receiving this mail because:
You are always notified about changes to this product and component
_______________________________________________
package-review mailing list
package-review@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/package-review





[Index of Archives]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]