| Summary: | rpm loses setuid and setgid bits | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Luc Menut <lmenut> |
| Component: | RPM Packages | Assignee: | Pascal Terjan <pterjan> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | release_blocker | CC: | cjw, doktor5000, ennael1, luigiwalser, mageia, mageia, mageia, thierry.vignaud, tmb |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | rpm-4.12.0.1-13.mga5 | CVE: | |
| Status comment: | |||
|
Luc Menut
2014-11-29 23:11:32 CET
CC:
(none) =>
luigiwalser
Florian Hubold
2014-12-05 00:36:18 CET
CC:
(none) =>
doktor5000 This is still valid in current cauldron (rpm-4.12.0.1-16.mga5).
I just made some more tests; setuid and setgid bits are lost at build time when extracting debug. If I disable find-debuginfo.sh (with %define debug_package %{nil} ), setuid and setgid are not lost.
It's due to patch rpm-4.11.1-sepdebugcrcfix.patch. I've just rebuilt rpm without this patch; setuid and setgid bits are not lost without it. # Fix CRC32 after dwz (#971119) Patch3504: rpm-4.11.1-sepdebugcrcfix.patch patch added in rev 796705 -> rpm-4.12.0.1-13.mga5 (2014-11-13) http://svnweb.mageia.org/packages?view=revision&revision=796705 Fedora/RH bugreport about this patch https://bugzilla.redhat.com/show_bug.cgi?id=971119 Fedora dropped the patch when updating to 4.12.0: http://pkgs.fedoraproject.org/cgit/rpm.git/commit/?id=1d5ceec05f97fc32cafd41a7da06e1d396e8142b Are we sure we still need this patch? If debug infos still work after removing the patch, I guess we can remove it like Fedora. CC:
(none) =>
mageia, mageia, thierry.vignaud, tmb Ah, I was mistaken, the patch was only edited to remove a hunk, but it is still applied in Fedora.
Anne Nicolas
2015-02-05 22:50:01 CET
Assignee:
thierry.vignaud =>
pterjan I've told upstream/FC maintainers about this patch issue. (In reply to Thierry Vignaud from comment #7) > I've told upstream/FC maintainers about this patch issue. Cool. I suspect they will just say, "Use %attr properly" :) Pascal said in the meeting last night that he'd do a little hdlist analysis to compare any setuid files on MGA4 to make sure they are still setuid on MGA5 and thus spot any potential regressions. We've probably not got a few so should be OK to fix at a packaging level. Actually Panu suggests we just drop that patches as it's only usefull for tools devs. Feel free to do it. As for packages, we already have fixed all packages (famous last worlds) Meaning reverting http://svnweb.mageia.org/packages/cauldron/rpm/current/SPECS/rpm.spec?r1=795108&r2=796712&pathrev=796716 patch has been dropped (In reply to Thierry Vignaud from comment #11) > patch has been dropped Thanks Yes Status:
NEW =>
RESOLVED |
Description of problem: Current rpm losts setuid and setgid bits. in kdebase4-runtime, /usr/lib64/kde4/libexec/kdesud should have setgid bit, but rpm -qp --qf='[%{FILEMODES:perms} %{FILENAMES}\n]' kdebase4-runtime-4.14.2-2.mga5.x86_64.rpm |grep kdesud -rwxr-xr-x /usr/lib64/kde4/libexec/kdesud setgid bit is missing in kppp, /usr/bin/kppp should have setuid currently kppp-4.14.2 in cauldron is OK rpm -qp --qf='[%{FILEMODES:perms} %{FILENAMES}\n]' kppp-4.14.2-1.mga5.x86_64.rpm |grep /usr/bin/kppp$ -rwsr-xr-x /usr/bin/kppp setuid bit is present but when I build locally kppp 4.14.3 rpm -qp --qf='[%{FILEMODES:perms} %{FILENAMES}\n]' kppp-4.14.3-0.mga5.x86_64.rpm |grep /usr/bin/kppp$ -rwxr-xr-x /usr/bin/kppp setuid is missing David already reported this problem on -dev ML https://ml.mageia.org/l/arc/dev/2014-11/msg00454.html I don't know if the issue is recent (kppp from Sun Oct 19 is OK), or if the lost is aleatory. Version-Release number of selected component (if applicable): rpm-4.12.0.1-13.mga5 Reproducible: Steps to Reproduce: