Ah-Ha! (was: Re: [WBEL-devel] /bin/su and /usr/bin/su)
Paul Iadonisi
pri.wbel@iadonisi.to
Tue, 09 Dec 2003 03:15:18 -0500
On Tue, 2003-12-09 at 01:13, John Morris wrote:
[snip]
> Unless someone else looks into the matter and has an "Ah-Ha!" moment I'm
> going to do my usual response to such matters. Whack it with a big stick,
> as in patch the .spec thus:
[snip]
> It will work, but doesn't explain WHY it went wrong in the first place.
Got it! Build the package as a non-root user. There's this little
snippet of code in the src/Makefile:
===
can_create_suid_root_executable=no; \
chown root $$TMPFILE > /dev/null 2>&1 \
&& chmod $(setuid_root_mode) $$TMPFILE > /dev/null 2>&1 \
&& can_create_suid_root_executable=yes; \
rm -f $$TMPFILE; \
if test $$can_create_suid_root_executable = yes; then \
$(INSTALL_SU); \
else \
echo "WARNING: insufficient access; not installing su"; \
echo "NOTE: to install su, run 'make install-root' as root"; \
fi
===
Actually, *all* packages should be built as non-root. I believe
that's the way Red Hat builds them internally. In fact, it was the
reason for the introduction of the %dev keyword: so that you could build
rpms requiring device files without needing to be root.
No guarantee that all packages will be buildable as non-root, but I
know for a fact that it is a principle that Red Hat tries to adhere to.
I haven't checked the Fedora Project rpm building guidelines at all, but
I think I do remember some discussion of it on one of the lists and
there was some comment that in order for packages to be accepted by Red
Hat, they *must* be buildable as non-root.
Who knows, it might even solve some of the other unexplained problems.
--
-Paul Iadonisi
Senior System Administrator
Red Hat Certified Engineer / Local Linux Lobbyist
Ever see a penguin fly? -- Try Linux.
GPL all the way: Sell services, don't lease secrets