Bugzilla – Bug 1155691
AUDIT-0: slack: home:giovanism/slack: setuid binary whitelisting request for chrome-sandbox
Last modified: 2019-11-28 11:54:03 UTC
For my package found in OBS in <project>:<package> I would like a whitelisting for the following rpmlint error: slack.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib64/slack/chrome-sandbox is packaged with setuid/setgid bits (04755) If the package is intended for inclusion in any SUSE product please open a bug report to request review of the program by the security team. Please refer to https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for more information.
do you intend to submit this to openSUSE? rpmlint will (soonish) ignore such issues in home directories, so if this for your own use nothing needs to be done here and it should solve itself
(In reply to Johannes Segitz from comment #1) > do you intend to submit this to openSUSE? rpmlint will (soonish) ignore such > issues in home directories, so if this for your own use nothing needs to be > done here and it should solve itself When do I expect this change to take effect?
Thank you for opening the bug! (In reply to giovanmail@gmail.com from comment #2) > (In reply to Johannes Segitz from comment #1) > > do you intend to submit this to openSUSE? rpmlint will (soonish) ignore such > > issues in home directories, so if this for your own use nothing needs to be > > done here and it should solve itself > > When do I expect this change to take effect? There is no fixed date we can give you yet but it's probably a few weeks. Us actually reviewing the code would also take a while, however. Do you have plans to forward this package to openSUSE:Factory? The chrome-sandbox you package here is actually already packaged in the chromium package. What is the background of that? Could you probably use just the chrome-sandbox from the chromium package? Then no review would be necessary at all. Having the same setuid binary twice in the distribution would be rather unfortunate anyways.
It would be nice if it can get to openSUSE:Factory. What does it take to forward this to openSUSE:Factory? I just checked the package files and yes there is a chrome-sandbox. Actually, I just forked this package from https://build.opensuse.org/package/show/home:nuklly/slack and download the latest package from slack official website. They only provide this rpm, so that's all I have. I'm all for less work and faster release schedule for the packages. But I haven't found guides or example for editing and building package from existing one.
(In reply to Matthias Gerstner from comment #3) > Thank you for opening the bug! > > (In reply to giovanmail@gmail.com from comment #2) > > (In reply to Johannes Segitz from comment #1) > > > do you intend to submit this to openSUSE? rpmlint will (soonish) ignore such > > > issues in home directories, so if this for your own use nothing needs to be > > > done here and it should solve itself > > > > When do I expect this change to take effect? > > There is no fixed date we can give you yet but it's probably a few weeks. > Us actually reviewing the code would also take a while, however. Do you have > plans to forward this package to openSUSE:Factory? > > The chrome-sandbox you package here is actually already packaged in the > chromium package. What is the background of that? Could you probably use just > the chrome-sandbox from the chromium package? Then no review would be > necessary at all. Having the same setuid binary twice in the distribution > would be rather unfortunate anyways. It would be nice if it can get to openSUSE:Factory. What does it take to forward this to openSUSE:Factory? I just checked the package files and yes there is a chrome-sandbox. Actually, I just forked this package from https://build.opensuse.org/package/show/home:nuklly/slack and download the latest package from slack official website. They only provide this rpm, so that's all I have. I'm all for less work and faster release schedule for the packages. But I haven't found guides or example for editing and building package from existing one.
I've looked closer into your slack package and it turns out that this software is proprietary and the "sources" are an RPM with precompiled binaries. This is nothing we can review, because no source code is available. Also I'm not even sure whether openSUSE:Factory will accept this proprietary software and its license. So in this state I fear we can't help you. You can try to remove the chrome-sandbox binary from the package and see whether it works. You could e.g. add a Requires: to chromium and replace the chrome-sandbox in slack with a symlink to the chrome-sandbox shipped by chromium.
(In reply to Matthias Gerstner from comment #6) > So in this state I fear we can't help you. You can try to remove the > chrome-sandbox binary from the package and see whether it works. You could > e.g. add a Requires: to chromium and replace the chrome-sandbox in slack with > a symlink to the chrome-sandbox shipped by chromium. Okay, I'll try it. > I've looked closer into your slack package and it turns out that this > software > is proprietary and the "sources" are an RPM with precompiled binaries. This > is > nothing we can review, because no source code is available. Also I'm not even > sure whether openSUSE:Factory will accept this proprietary software and its > license. I'm trying to submit this package because I found https://build.opensuse.org/package/show/games:tools/discord . Its also an electron based propietary software. Therefore, I believe openSUSE:Factory:NonFree or other project might be a suitable place for this package.
So I'm closing this bug since there's nothing here we can review.