Bugzilla – Bug 1219339
AUDIT-0: sendmail: permissions config path changed
Last modified: 2024-02-28 10:45:04 UTC
The binary /usr/sbin/sendmail of package sendmail has to be owned by root:mail and the set group identity bit has to set aka werner/sendmail> ll /usr/sbin/sendmail -r-xr-sr-x 1 root mail 893656 Oct 9 10:55 /usr/sbin/sendmail this ensures that sendmail can mail handle in offline enqueue
Thanks for opening this bug report. We will schedule it in our team shortly.
Context: https://build.opensuse.org/request/show/1142725 > [ 112s] sendmail.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/sbin/sendmail is packaged with setuid/setgid bits (02555) > [ 112s] Packaging setuid/setgid binaries requires a review and whitelisting by the > [ 112s] SUSE security team. If the package is intended for inclusion in any SUSE > [ 112s] product please open a bug report to request review of the package by the > [ 112s] security team. Please refer to > [ 112s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for > [ 112s] more information.
Ah ... to be noted: I've only removed the trailing / from the directories specified to the chkstat command as otherwise this command does not find the directories in the permissions files anymore (even if the trailing / are used there). Also move from /etc/permissions.d/ is required to usr move
Packaging bug identified: sendmail moved the dropins from /etc/permissions.d to /usr/share/permissions instead of /usr/share/permissions/permissions.d The actual rpmlint issue to be addressed should be [ 92s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10) /usr/share/permissions/permissions.d/sendmail (sha256 file digest default filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 shell filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 xml filter:<failed-to-calculate>) [ 92s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10) /usr/share/permissions/permissions.d/sendmail.paranoid (sha256 file digest default filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c shell filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c xml filter:<failed-to-calculate>)
(In reply to Dominique Leuenberger from comment #4) > Packaging bug identified: sendmail moved the dropins from /etc/permissions.d > to /usr/share/permissions instead of /usr/share/permissions/permissions.d > > > The actual rpmlint issue to be addressed should be > > [ 92s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10) > /usr/share/permissions/permissions.d/sendmail (sha256 file digest default > filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 > shell > filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 xml > filter:<failed-to-calculate>) > [ 92s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10) > /usr/share/permissions/permissions.d/sendmail.paranoid (sha256 file digest > default > filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c > shell > filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c xml > filter:<failed-to-calculate>) OK ... will resolve this
Do we have a default owner of /usr/share/permissions/permissions.d rpm -qf /usr/share/permissions/permissions.d file /usr/share/permissions/permissions.d is not owned by any package
Now I see [ 60s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10) /usr/share/permissions/permissions.d/sendmail (sha256 file digest default filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 shell filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 xml filter:<failed-to-calculate>) [ 60s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10) /usr/share/permissions/permissions.d/sendmail.paranoid (sha256 file digest default filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c shell filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c xml filter:<failed-to-calculate>)
Badness increases in staging:) [ 103s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10000) /usr/share/permissions/permissions.d/sendmail.paranoid (sha256 file digest default filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c shell filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c xml filter:<failed-to-calculate>) [ 103s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10000) /usr/share/permissions/permissions.d/sendmail (sha256 file digest default filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 shell filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 xml filter:<failed-to-calculate>) [ 103s] Packaging permissions.d drop-in snippets requires a review and whitelisting by [ 103s] the SUSE security team. If the package is intended for inclusion in any SUSE [ 103s] product please open a bug report to request review of the package by the [ 103s] security team. Please refer to [ 103s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 103s] more information. [ 103s]
(In reply to Ana Guerrero from comment #8) > Badness increases in staging:) That part is intentional: devel projects don't build against rpmlint-strict in order to be able to test the packages by the devs prior to having all sec audits passed (In reply to Dr. Werner Fink from comment #6) > Do we have a default owner of /usr/share/permissions/permissions.d > > rpm -qf /usr/share/permissions/permissions.d > file /usr/share/permissions/permissions.d is not owned by any package Not yet it seems. Would make to have the base directory owned by permissions too. So that packages can just put their files in place.
@dimstar: Thanks for helping out with this. Since the permissions.d hashes haven't changed, I started an rpmlint update right away. It will take a while until it hits Factory though. https://github.com/rpm-software-management/rpmlint/pull/1178
(In reply to Dominique Leuenberger from comment #9) > > rpm -qf /usr/share/permissions/permissions.d > > file /usr/share/permissions/permissions.d is not owned by any package > > Not yet it seems. Would make to have the base directory owned by permissions > too. So that packages can just put their files in place. For this part I propose https://build.opensuse.org/request/show/1142770 @Wolfgang: ok like this or you rather prefer the makefile of permissions to create the dir and it being packaged regularly?
(In reply to Dominique Leuenberger from comment #11) > (In reply to Dominique Leuenberger from comment #9) > > > > rpm -qf /usr/share/permissions/permissions.d > > > file /usr/share/permissions/permissions.d is not owned by any package > > > > Not yet it seems. Would make to have the base directory owned by permissions > > too. So that packages can just put their files in place. > > For this part I propose https://build.opensuse.org/request/show/1142770 > > @Wolfgang: ok like this or you rather prefer the makefile of permissions to > create the dir and it being packaged regularly? Looks good to me! I will get confirmation from the team just to be sure, but I don't expect any opposition and will likely accept the request very soon.
This is an autogenerated message for OBS integration: This bug (1219339) was mentioned in https://build.opensuse.org/request/show/1142755 Factory / sendmail
rpmlint update on its way https://build.opensuse.org/request/show/1142790
A follow-up submission for rpmlint is in Factory staging, along with sendmail. Should be fine now. https://build.opensuse.org/request/show/1143021 https://build.opensuse.org/project/show/openSUSE:Factory:Staging:I
This is an autogenerated message for OBS integration: This bug (1219339) was mentioned in https://build.opensuse.org/request/show/1143293 Factory / rpmlint
Released