[Bug 2168538] Review Request: minidlna - Lightweight DLNA/UPnP-AV server targeted at embedded systems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.redhat.com/show_bug.cgi?id=2168538



--- Comment #11 from Benson Muite <benson_muite@xxxxxxxxxxxxx> ---
$ rpmlint -e missing-call-to-setgroups-before-setuid
missing-call-to-setgroups-before-setuid:
This executable is calling setuid and setgid without setgroups or initgroups.
This means it didn't relinquish all groups, and this would be a potential
security issue.


Maybe the file minidlna.c should be modified? It uses setgid and setuid but
does not get all the associated group ids see

https://www.gnu.org/software/libc/manual/html_node/Setting-Groups.html

$ rpmlint -e non-standard-uid
non-standard-uid:
A file in this package is owned by an unregistered user id. To register the
user, please make a pull request to the rpmlint config file
configs/Fedora/fedora.toml in the rpmlint repository.

$ rpmlint -e non-standard-gid
non-standard-gid:
A file in this package is owned by an unregistered group id. To register the
group, please make a pull request to the rpmlint config file
configs/Fedora/fedora.toml in the rpmlint repository.

Not clear what to change at:
https://github.com/rpm-software-management/rpmlint/blob/main/configs/Fedora/fedora.toml

Should minidlna have a directory instead of dev/null ?
useradd -r -g minidlna -d /dev/null 

Might it be possible to use dynamic allocation:
https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation

Nginx recommends logrotate:
https://src.fedoraproject.org/rpms/nginx/blob/rawhide/f/nginx.spec


-- 
You are receiving this mail because:
You are always notified about changes to this product and component
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2168538
_______________________________________________
package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite Conditions]     [KDE Users]

  Powered by Linux