Ah-Ha! (was: Re: [WBEL-devel] /bin/su and /usr/bin/su)
David L. Parsley
parsley@linuxjedi.org
Tue, 09 Dec 2003 10:05:31 -0500
Hi Paul,
Nice catch! I just verified that kdenetwork also builds correctly (with
stripped binaries and non-suid-root kppp). Now I'll start rebuilding
everything again. :-(
regards,
David
On Tue, 2003-12-09 at 03:15, Paul Iadonisi wrote:
> On Tue, 2003-12-09 at 01:13, John Morris wrote:
>
> [snip]
>
> > Unless someone else looks into the matter and has an "Ah-Ha!" moment I'm
> > going to do my usual response to such matters. Whack it with a big stick,
> > as in patch the .spec thus:
>
> [snip]
>
> > It will work, but doesn't explain WHY it went wrong in the first place.
>
> Got it! Build the package as a non-root user. There's this little
> snippet of code in the src/Makefile:
>
> ===
> can_create_suid_root_executable=no; \
> chown root $$TMPFILE > /dev/null 2>&1 \
> && chmod $(setuid_root_mode) $$TMPFILE > /dev/null 2>&1 \
> && can_create_suid_root_executable=yes; \
> rm -f $$TMPFILE; \
> if test $$can_create_suid_root_executable = yes; then \
> $(INSTALL_SU); \
> else \
> echo "WARNING: insufficient access; not installing su"; \
> echo "NOTE: to install su, run 'make install-root' as root"; \
> fi
> ===
>
> Actually, *all* packages should be built as non-root. I believe
> that's the way Red Hat builds them internally. In fact, it was the
> reason for the introduction of the %dev keyword: so that you could build
> rpms requiring device files without needing to be root.
> No guarantee that all packages will be buildable as non-root, but I
> know for a fact that it is a principle that Red Hat tries to adhere to.
> I haven't checked the Fedora Project rpm building guidelines at all, but
> I think I do remember some discussion of it on one of the lists and
> there was some comment that in order for packages to be accepted by Red
> Hat, they *must* be buildable as non-root.
> Who knows, it might even solve some of the other unexplained problems.