Bug 14691 - rpm loses setuid and setgid bits
Summary: rpm loses setuid and setgid bits
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: release_blocker normal
Target Milestone: ---
Assignee: Pascal Terjan
QA Contact:
Depends on:
Reported: 2014-11-29 23:02 CET by Luc Menut
Modified: 2015-02-14 22:25 CET (History)
9 users (show)

See Also:
Source RPM: rpm-
Status comment:


Description Luc Menut 2014-11-29 23:02:08 CET
Description of problem:
Current rpm losts setuid and setgid bits.
in kdebase4-runtime, /usr/lib64/kde4/libexec/kdesud should have setgid bit, but
rpm -qp --qf='[%{FILEMODES:perms} %{FILENAMES}\n]' kdebase4-runtime-4.14.2-2.mga5.x86_64.rpm |grep kdesud
-rwxr-xr-x /usr/lib64/kde4/libexec/kdesud
setgid bit is missing

in kppp, /usr/bin/kppp should have setuid
currently kppp-4.14.2 in cauldron is OK
rpm -qp --qf='[%{FILEMODES:perms} %{FILENAMES}\n]' kppp-4.14.2-1.mga5.x86_64.rpm |grep /usr/bin/kppp$
-rwsr-xr-x /usr/bin/kppp
setuid bit is present

but when I build locally kppp 4.14.3
rpm -qp --qf='[%{FILEMODES:perms} %{FILENAMES}\n]' kppp-4.14.3-0.mga5.x86_64.rpm |grep /usr/bin/kppp$
-rwxr-xr-x /usr/bin/kppp
setuid is missing

David already reported this problem on -dev ML

I don't know if the issue is recent (kppp from Sun Oct 19 is OK), or if the lost is aleatory.

Version-Release number of selected component (if applicable):


Steps to Reproduce:
Luc Menut 2014-11-29 23:11:32 CET

CC: (none) => luigiwalser
Summary: setuid and setgid bits => rpm loses setuid and setgid bits
Assignee: bugsquad => thierry.vignaud
Priority: Normal => release_blocker

Comment 1 Christiaan Welvaart 2014-11-29 23:16:48 CET
See also https://bugs.mageia.org/show_bug.cgi?id=14593

CC: (none) => cjw

Florian Hubold 2014-12-05 00:36:18 CET

CC: (none) => doktor5000

Comment 2 Anne Nicolas 2015-01-22 08:49:50 CET
Any new input on that bug ?

CC: (none) => ennael1

Comment 3 Luc Menut 2015-01-25 11:25:01 CET
This is still valid in current cauldron (rpm-

I just made some more tests; setuid and setgid bits are lost at build time when extracting debug. If I disable find-debuginfo.sh (with %define  debug_package %{nil} ), setuid and setgid are not lost.
Comment 4 Luc Menut 2015-01-25 12:05:10 CET
It's due to patch rpm-4.11.1-sepdebugcrcfix.patch.
I've just rebuilt rpm without this patch; setuid and setgid bits are not lost without it.

# Fix CRC32 after dwz (#971119)
Patch3504: rpm-4.11.1-sepdebugcrcfix.patch

patch added in rev 796705 -> rpm- (2014-11-13)

Fedora/RH bugreport about this patch
Comment 5 Olivier Blin 2015-01-31 19:03:38 CET
Fedora dropped the patch when updating to 4.12.0:

Are we sure we still need this patch?

If debug infos still work after removing the patch, I guess we can remove it like Fedora.

CC: (none) => mageia, mageia, thierry.vignaud, tmb

Comment 6 Olivier Blin 2015-01-31 19:08:19 CET
Ah, I was mistaken, the patch was only edited to remove a hunk, but it is still applied in Fedora.
Anne Nicolas 2015-02-05 22:50:01 CET

Assignee: thierry.vignaud => pterjan

Comment 7 Thierry Vignaud 2015-02-06 08:40:17 CET
I've told upstream/FC maintainers about this patch issue.
Comment 8 Colin Guthrie 2015-02-06 09:12:45 CET
(In reply to Thierry Vignaud from comment #7)
> I've told upstream/FC maintainers about this patch issue.

Cool. I suspect they will just say, "Use %attr properly" :)

Pascal said in the meeting last night that he'd do a little hdlist analysis to compare any setuid files on MGA4 to make sure they are still setuid on MGA5 and thus spot any potential regressions. We've probably not got a few so should be OK to fix at a packaging level.
Comment 9 Thierry Vignaud 2015-02-06 09:23:08 CET
Actually Panu suggests we just drop that patches as it's only usefull for tools devs.
Feel free to do it.

As for packages, we already have fixed all packages (famous last worlds)
Comment 11 Thierry Vignaud 2015-02-07 09:51:43 CET
patch has been dropped
Comment 12 Luc Menut 2015-02-07 11:33:19 CET
(In reply to Thierry Vignaud from comment #11)
> patch has been dropped

Comment 13 Sander Lepik 2015-02-14 21:38:30 CET
So is this bug now fixed?

CC: (none) => mageia

Comment 14 Thierry Vignaud 2015-02-14 22:25:20 CET

Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.