A couple of fixes for errors reported by rpmlint #7794
Conversation
src/providers/krb5/krb5_ccache.c
Outdated
| @@ -54,6 +55,11 @@ errno_t switch_to_user(void) | |||
| return errno; | |||
| } | |||
|
|
|||
| ret = setgroups(0, NULL); | |||
There was a problem hiding this comment.
There are several reasons why this is not needed and, most probably, won't work.
First of all, those functions - 'switch_to_*()' - are exclusively used by 'krb5_child' only.
And the first thing 'krb5_child' does - it calls privileged_krb5_setup().
First thing privileged_krb5_setup() does - it calls setgroups(0, NULL) if appropriate.
So groups are either already dropped, or can't be dropped (see comment
sssd/src/providers/krb5/krb5_child.c
Line 3997 in c6294f5
Moreover, next thing 'krb5_child' does - sss_drop_all_caps().
Due to this setgroups() here will fail with EPERM
There was a problem hiding this comment.
I'm not sure if this would make 'rpmlint' happy, but maybe addition of else keep-SSSD-group-only in privileged_krb5_setup() would be better.
But imo it's not worth bothering.
There was a problem hiding this comment.
Hi Alexey, thanks for the detailed explanation.
Adding the else part to privileged_krb5_setup() will not help because rpmlint just scans the shared library for function calls. In libsss_krb5_common.so it finds the the setresuid() inside switch_to_xxx() without a setgroups() call, and privileged_krb5_setup() is not part of this library.
I will just add an exemption for this error. What's about the other patch? I will update this PR if it makes sense.
There was a problem hiding this comment.
What's about the other patch?
d-bus policy patch looks good to me (but will require a 2nd reviewer).
|
@scabrero, FYI, we plan sssd-2.10.2 release soon. |
> sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf > sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Domains"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf > sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Domains.Domain"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf > sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Users"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf > sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Users.User"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf > sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Groups"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf > sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Groups.Group"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf > sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Cache"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf > sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Cache.Object"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf > sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Components"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf > 'allow' directives must always specify a 'send_destination'. Signed-off-by: Samuel Cabrero <[email protected]>
scabrero
force-pushed
the
opensuse-rpmlint
branch
from
088dd53 to
dfd4122
Compare
|
Thanks, I dropped the first patch and rebased. I hope it is on time for 2.10.2. |
rpmlint reports a couple of security related issues:
setresuid()andsetresgid()<allow>directives in the infopipe service withoutsend_destinationReported in https://bugzilla.suse.com/show_bug.cgi?id=1235724