Comments (3)
jfkw
commented on May 29, 2024
1
@lucab Yes, thanks, I'll report the issue at rust-users.
from afterburn.
lucab
commented on May 29, 2024
Thanks for the report. I think this ticket is actually covering update-ssh-keys, but I'm fine handling this here.
The warning is related to switch_user_group in the users crate (all versions): https://github.com/ogham/rust-users/blob/15af1576e40fd3e5592b918de353df6a976c42c4/src/switch.rs#L134-L143
We are calling that in update-ssh-keys: https://github.com/coreos/update-ssh-keys/blob/v0.3.0/src/lib.rs#L108
In our specific case I think this is not a security bug. We are calling that method in order to align user/group on file creation only, not to drop privileges for the process (those are reset when the guard value is dropped at the end of the function).
I think it is still worth to report as bug against https://github.com/ogham/rust-users. @jfkw do you want to do that yourself? If/when fixed, we will pick up the new dependency both here an in update-ssh-keys.
from afterburn.
bgilbert
commented on May 29, 2024
I'm not seeing the rpmlint warning with Afterburn 5.3.0, so I'll assume that recent rust-users (we're using 0.11) has fixed this. Closing, but feel free to reopen if you're still seeing this.
from afterburn.
Related Issues (20)
- Release Afterburn 5.5.0 HOT 1
- Release Afterburn 5.5.1 HOT 1
- 30s delay on Azure boot: "Failed to get fabric address from DHCP" HOT 1
- Release 5.2.0 HOT 2
- systemd: excessive Requires/After can result in dependency failure HOT 2
- Test `providers::aws::mock_tests::test_aws_basic` is flaky HOT 2
- Test `providers::aws::mock_tests::test_aws_imds_versions` is flaky HOT 3
- Support IPv6 on AWS HOT 1
- Release 5.3.0 HOT 3
- afterburn-sshkeys fails if no ssh key in metadata on ibmcloud HOT 1
- Consider switching argument parsing to `clap_derive`
- Consolidate CloudStack metadata providers
- Consider enabling hostname service on subsequent boots
- Release Afterburn 5.4.0 HOT 2
- Release Afterburn 5.4.1 HOT 1
- configure user account based on azure provider specific information HOT 1
- Release Afterburn 5.4.2 HOT 7
- Afterburn reports incorrect OpenStack instance id HOT 2
- Release Afterburn 5.4.3
- Move away from `users` crate HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from afterburn.