Review Request 117125: start_kdeinit: Use capabilities instead of SUID
Hrvoje Senjan
hrvoje.senjan at gmail.com
Thu May 29 13:14:23 UTC 2014
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/117125/
-----------------------------------------------------------
(Updated May 29, 2014, 3:14 p.m.)
Review request for KDE Frameworks, Andreas Hartmetz and David Faure.
Changes
-------
rebased to latest HEAD
Bugs: https://bugzilla.novell.com/show_bug.cgi?id=862953
https://bugs.kde.org/show_bug.cgi?id=https://bugzilla.novell.com/show_bug.cgi?id=862953
Repository: kinit
Description
-------
The issue came up on security review of kinit package (yes, same is valid for kdelibs4...)
SUSE security team is not happy with kdeinit being SUID helper, thus capabilities are utilized first (if available)
I've just tried to integrate the suggested patch (from the report) with the CMake bits
Diffs (updated)
-----
CMakeLists.txt 138ebc6
cmake/FindLibcap.cmake PRE-CREATION
src/CMakeLists.txt 2117358
src/config-kdeinit.h.cmake 8e74789
src/start_kdeinit/CMakeLists.txt 2eaeb61
src/start_kdeinit/start_kdeinit.c 3c733e7
Diff: https://git.reviewboard.kde.org/r/117125/diff/
Testing
-------
Built:
with setcap & libcap present - installed as advertised;
without one/both of them - the old procedure is in place (using SUID for the helper)
I am not sure how to test the OOM killer, fortunately it never kicked in kdelibs4 variant, so can't also say did it work as planned before...
Thanks,
Hrvoje Senjan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20140529/729cbbf5/attachment-0001.html>
More information about the Kde-frameworks-devel
mailing list