[Bug 912816] Review Request: kyua-testers - Scriptable tester interfaces
bugzilla at redhat.com
bugzilla at redhat.com
Sun Nov 24 04:05:44 UTC 2013
https://bugzilla.redhat.com/show_bug.cgi?id=912816
Julio Merino <julio+redhat at meroh.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags|needinfo?(julio+redhat at mero |
|h.net) |
--- Comment #7 from Julio Merino <julio+redhat at meroh.net> ---
Wow, sorry for the looooong delay in replying. I haven't been paying attention
to neither Kyua nor Fedora for a long time for various personal reasons... and
recently just got back to them.
Regarding the missing-call-to-setgroups-before-setuid warning: it's true that
the code does not call setgroups, but this is not a real "problem". The code
in the "tester" binaries implements logic to drop privileges for test cases
that request it, but this is _NOT_ intended to be a security feature and is
documented as such. (Mind you, it's the test that chooses to request lower
privileges, not the user, so this really is not about security.) Adding a call
to setgroups() would only silence this specific warning but would do nothing to
improve security. I think this warning just needs to be ignored here.
--
You are receiving this mail because:
You are always notified about changes to this product and component
More information about the package-review
mailing list