Bug 66303 - aegis: permissions
Summary: aegis: permissions
Status: RESOLVED FIXED
Alias: None
Product: openSUSE 10.3
Classification: openSUSE
Component: Security (show other bugs)
Version: Beta 1
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Susanne Oberhauser-Hirschoff
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-02-23 13:33 UTC by Ludwig Nussel
Modified: 2008-03-07 10:57 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2005-02-23 13:33:11 UTC 
aegis includes a file in /etc/permissions.d that sets setuid bits. 
a) why does it need to be setuid root at all? 
b) please remove that file. I'll include it in the permissions package instead 
if you have an answer for a).
Comment 1 Ludwig Nussel 2005-02-23 13:36:30 UTC 
pardon, setuid aegis, not root. Nevertheless the question remains.
Comment 2 Susanne Oberhauser-Hirschoff 2005-02-23 13:56:49 UTC 
Yes this is not obvious.  However there is an Appendix D in the user guide 
describing why, and how the setuid is isolated to make the code 
audit-friendly.  The basic reason is that eagis is something like clearcase or 
cvs with process support, and that it protects the shared repository with unix 
file permissions.  for details, please see: 
 
/usr/share/doc/packages/aegis/en/user-guide.{ps,txt,dvi}  
  
btw, the currently checked-in version got an audit.  I plan on an update for 
code10. 
 
does this answer your question?
Comment 3 Ludwig Nussel 2005-02-23 16:06:54 UTC 
Fine, thanks. Moving the permissions file with the next update is fine.
Comment 4 Thomas Biege 2005-10-05 09:45:38 UTC 
So, this can be closed, right?
Comment 5 Marcus Meissner 2006-03-29 12:57:37 UTC 
the permissions.d file is not migrated yet, so keep open until fixed.
Comment 6 Ludwig Nussel 2007-08-08 09:42:34 UTC 
no changes to aegis package for two years. setting package to frozen to prevent shipment in future distros.
Comment 7 Thomas Biege 2008-03-07 10:57:15 UTC 
closing