Review Request 117125: start_kdeinit: Use capabilities instead of SUID

Hrvoje Senjan hrvoje.senjan at gmail.com
Thu May 29 12:53:39 UTC 2014 


> On May 29, 2014, 2:11 p.m., Alex Merry wrote:
> > What's the plan with this? Does Andreas' fix for the setuid case also fix the capabilities case?

>Does Andreas' fix for the setuid case also fix the capabilities case?
yep. i was able to successfully start and use plasma next (with KF5 in /usr, and workspace umbrella in /opt) - this was not the case before (unfortunately, i've only tested startkde after commiting =(


- Hrvoje


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/117125/#review58706
-----------------------------------------------------------


On May 15, 2014, 11:12 p.m., Hrvoje Senjan wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/117125/
> -----------------------------------------------------------
> 
> (Updated May 15, 2014, 11:12 p.m.)
> 
> 
> Review request for KDE Frameworks, Andreas Hartmetz and David Faure.
> 
> 
> Bugs: https://bugzilla.novell.com/show_bug.cgi?id=862953
>     https://bugs.kde.org/show_bug.cgi?id=https://bugzilla.novell.com/show_bug.cgi?id=862953
> 
> 
> Repository: kinit
> 
> 
> Description
> -------
> 
> The issue came up on security review of kinit package (yes, same is valid for kdelibs4...)
> SUSE security team is not happy with kdeinit being SUID helper, thus capabilities are utilized first (if available)
> I've just tried to integrate the suggested patch (from the report) with the CMake bits
> 
> 
> Diffs
> -----
> 
>   CMakeLists.txt 8bd43d8 
>   cmake/FindLibcap.cmake PRE-CREATION 
>   src/config-kdeinit.h.cmake c89c713 
>   src/start_kdeinit/CMakeLists.txt 6bfc496 
>   src/start_kdeinit/start_kdeinit.c 3c733e7 
> 
> Diff: https://git.reviewboard.kde.org/r/117125/diff/
> 
> 
> Testing
> -------
> 
> Built:
> with setcap & libcap present - installed as advertised;
> without one/both of them - the old procedure is in place (using SUID for the helper)
> 
> I am not sure how to test the OOM killer, fortunately it never kicked in kdelibs4 variant, so can't also say did it work as planned before...
> 
> 
> Thanks,
> 
> Hrvoje Senjan
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20140529/dbae1991/attachment.html>

More information about the Kde-frameworks-devel mailing list