Ah-Ha! (was: Re: [WBEL-devel] /bin/su and /usr/bin/su)

[Paul Iadonisi]

On Tue, 2003-12-09 at 01:13, John Morris wrote:

[snip]

> Unless someone else looks into the matter and has an "Ah-Ha!" moment I'm
> going to do my usual response to such matters.  Whack it with a big stick,
> as in patch the .spec thus:

[snip]

> It will work, but doesn't explain WHY it went wrong in the first place.

  Got it!  Build the package as a non-root user.  There's this little
snippet of code in the src/Makefile:

===
        can_create_suid_root_executable=no; \
        chown root $$TMPFILE > /dev/null 2>&1 \
          && chmod $(setuid_root_mode) $$TMPFILE > /dev/null 2>&1 \
          && can_create_suid_root_executable=yes; \
        rm -f $$TMPFILE; \
        if test $$can_create_suid_root_executable = yes; then \
          $(INSTALL_SU); \
        else \
          echo "WARNING: insufficient access; not installing su"; \
          echo "NOTE: to install su, run 'make install-root' as root"; \
        fi
===

  Actually, *all* packages should be built as non-root.  I believe
that's the way Red Hat builds them internally.  In fact, it was the
reason for the introduction of the %dev keyword: so that you could build
rpms requiring device files without needing to be root.
  No guarantee that all packages will be buildable as non-root, but I
know for a fact that it is a principle that Red Hat tries to adhere to. 
I haven't checked the Fedora Project rpm building guidelines at all, but
I think I do remember some discussion of it on one of the lists and
there was some comment that in order for packages to be accepted by Red
Hat, they *must* be buildable as non-root.
  Who knows, it might even solve some of the other unexplained problems.
-- 
-Paul Iadonisi
 Senior System Administrator
 Red Hat Certified Engineer / Local Linux Lobbyist
 Ever see a penguin fly?  --  Try Linux.
 GPL all the way: Sell services, don't lease secrets