https://bugzilla.redhat.com/show_bug.cgi?id=1645172 --- Comment #20 from Jaroslav Škarvada <jskarvad@xxxxxxxxxx> --- (In reply to dan.cermak from comment #17) > (In reply to Jaroslav Škarvada from comment #16) > > (In reply to Ondrej Dubaj from comment #15) > > > It builds for me also. But using rpmlint I get these errors: > > > > > > $ rpmlint RPMS/x86_64/firejail-0.9.56-3.fc28.x86_64.rpm > > > firejail.x86_64: E: setuid-binary /usr/bin/firejail root 4755 > > > firejail.x86_64: E: non-standard-executable-perm /usr/bin/firejail 4755 > > > > > > I am not exactly sure if it will be better to remove the suid bit or to > > > ignore these errors. > > > > This is false positive (in this case). > > While firejail itself would like to be setuid root, that could be a security > problem. See for instance this discussion on the SUSE Bugzilla: > https://bugzilla.suse.com/show_bug.cgi?id=1059013 . They have decided to > drop the suid root and instead create a Firejail group, to which each user > must add themselves (see SUSE's spec: > https://build.opensuse.org/package/view_file/Virtualization/firejail/ > firejail.spec?expand=1). > > Maybe we could consider that option, too? I will let it on the package maintainer. From my point of view: - solution with special group is more clean and could be safer - with SUID, the build is already hardened and I think the possible attack vector is low - it would require finding some security bug in the firejail application to exploit. - IIRC in the past FESCO kept list of SUID packages, and every new SUID package required explicit approval, this is no more thus we could also go with the SUID. - one more thing to note there is also the 'upstream first' philosophy in Fedora, so if we go with the special group, we should try to get it to the upstream not to diverge from it. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx
