[Bug 912816] Review Request: kyua-testers - Scriptable tester interfaces

Sun Nov 24 04:05:44 UTC 2013

https://bugzilla.redhat.com/show_bug.cgi?id=912816

Julio Merino <julio+redhat at meroh.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|needinfo?(julio+redhat at mero |
                   |h.net)                      |

--- Comment #7 from Julio Merino <julio+redhat at meroh.net> ---
Wow, sorry for the looooong delay in replying.  I haven't been paying attention
to neither Kyua nor Fedora for a long time for various personal reasons... and
recently just got back to them.

Regarding the missing-call-to-setgroups-before-setuid warning: it's true that
the code does not call setgroups, but this is not a real "problem".  The code
in the "tester" binaries implements logic to drop privileges for test cases
that request it, but this is _NOT_ intended to be a security feature and is
documented as such.  (Mind you, it's the test that chooses to request lower
privileges, not the user, so this really is not about security.)  Adding a call
to setgroups() would only silence this specific warning but would do nothing to
improve security.  I think this warning just needs to be ignored here.

-- 
You are receiving this mail because:
You are always notified about changes to this product and component