Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix setuid/setgid ownership verification with rpm scripts-added users and groups #364

Closed
justin-stephenson opened this issue Apr 20, 2021 · 0 comments
Closed

Fix setuid/setgid ownership verification with rpm scripts-added users and groups #364

justin-stephenson opened this issue Apr 20, 2021 · 0 comments
Assignees
@dcantrell
Labels
bug Something isn't working v1.5

Comments

@justin-stephenson
Copy link

The Tlog package installs the 'tlog' user and group with rpm scripts, to limit the setuid/setgid permissions of the executable tlog-rec-session

preinstall scriptlet (using /bin/sh):
getent group tlog >/dev/null ||
    groupadd -r tlog
getent passwd tlog >/dev/null ||
    useradd -r -g tlog -d /var/run/tlog -s /sbin/nologin \
            -c "Tlog terminal I/O logger" tlog

This causes the rpminspect ownership check to fail however.

  1. /usr/bin/tlog-rec-session on x86_64 carries owner tlog (UID 0) and is on the fileinfo list, but the UID cannot be verified
  2. /usr/bin/tlog-rec-session on x86_64 carries group tlog (GID 0) and is on the fileinfo list, but the GID cannot be verified
@dcantrell dcantrell self-assigned this Apr 20, 2021
@dcantrell dcantrell added bug Something isn't working v1.5 labels Apr 20, 2021
dcantrell added a commit that referenced this issue Apr 20, 2021
@dcantrell
[fix] Perform symbolic owner and group matching in 'ownership' (#364)
b388b2a 
The fileinfo files carry what is basically an 'ls -l' style output of
files we package that carry special permissions and ownerships.  The
ownership inspection then checks files found against that list to make
sure they are allowed.  The inspection was performing a local name
lookup on the owner and group and also comparing the UID and GID
values, but that is not guaranteed.  Some packages will dynamically
create the owner and/or group via a package scriptlet.  The RPM header
records the symbolic name as do our fileinfo files, so just perform
matching based on that.

Signed-off-by: David Cantrell <dcantrell@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dcantrell dcantrell

Labels
bug Something isn't working v1.5
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dcantrell @justin-stephenson