Bug
When building coreos-3.0.1, rpmlint reports call to setgroups
before setuid
.
This appears to be in crate users-0.7.0
, a dependency of direct dependency crate update-ssh-keys-0.3.0
. Some changes in this area have been integrated in users-0.8.0, currently researching whether those eliminate the warning.
The warning may not indicate an actual problem, but it would be helpful to eliminate the warning if a fix is available through a newer version of a dependency.
Operating System Version
OpenSUSE Tumbleweed 20181018-0 x86_64
coreos-metadata Version
coreos-metadata-3.0.1
Environment
Open Build Service (OBS) osc build
local.
Local RPM lint warning at build time, no error running executable. Not running on any cloud provider.
Expected Behavior
Build executable that passes standard RPM lint checks.
Actual Behavior
RPMLINT report:
===============
coreos-metadata.x86_64:
W: missing-call-to-setgroups-before-setuid /usr/bin/coreos-metadata
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this means it didn't relinquish all groups, and
this would be a potential security issue to be fixed. Seek POS36-C on the web
for details about the problem.
Reproduction Steps
- Routine osc build to build local package
- RPM lint warning above displayed.
Other Information
Occurrences of setgroups
are all in crate libc-0.2.43
.
Occurrences of setuid
are in crate libc-0.2.43
and crate users-0.7.0
.
The rpmlint warning is not specific to a particular call site. Dependency crate users-0.7.0
has potentially relevant code here: https://github.com/ogham/rust-users/blob/v0.7.0/src/switch.rs#L25
Commits between crate users-0.7.0
(pinned) and crate users-0.8.0
(available) suggest some work may have been done in this area: ogham/rust-users@v0.7.0...master
I will test a build with crate users-0.8.0
and report back here.