Luis,
Thanks! Comments below as [amul:1]
On 07/04/12 14:08, Luis Ibanez wrote:
Amul,
Thanks for making the changes in the Git repository.
In order to match that new version:
1) I modified changlog to pull : 57f2d896697
2) Removed the insertion of shebang lines from the "rules" file.
3) Removed the incorrect setuid attempt from the "rules" file.
4) Inserted an override_dh_fixperms in the "rules" file.
Then, building with debuild, returns:
Now running lintian...
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/dse
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/dse
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/ftok
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/ftok
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/geteuid
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_gnp_server
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_gnp_server
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_pkdisp
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_pkdisp
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_play
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_play
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_server
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_server
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_shmclean
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_shmclean
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshr
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshr
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshrdir/gtmsecshr
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshrdir/gtmsecshr
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/libgtmshr.so
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/libgtmshr.so
W: fis-gtm-5.5.000: shared-lib-without-dependency-information
usr/lib/fis-gtm/V5.5-000_x86_64/libgtmutil.so
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/lke
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/lke
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/mumps
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/mumps
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/mupip
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/mupip
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/plugin/gtmcrypt/maskpass
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/plugin/gtmcrypt/maskpass
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/plugin/libgtmcrypt.so
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/plugin/libgtmcrypt.so
W: fis-gtm-5.5.000: hardening-no-relro
usr/lib/fis-gtm/V5.5-000_x86_64/semstat2
W: fis-gtm-5.5.000: hardening-no-fortify-functions
usr/lib/fis-gtm/V5.5-000_x86_64/semstat2
W: fis-gtm-5.5.000: shared-lib-without-dependency-information
usr/lib/fis-gtm/V5.5-000_x86_64/utf8/libgtmutil.so
W: fis-gtm-5.5.000: non-standard-executable-perm
usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_run 0744 != 0755
W: fis-gtm-5.5.000: non-standard-executable-perm
usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_slist 0744 != 0755
W: fis-gtm-5.5.000: setuid-binary
usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshr 4755 root/root
W: fis-gtm-5.5.000: non-standard-dir-perm
usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshrdir/ 0700 != 0755
W: fis-gtm-5.5.000: setuid-binary
usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshrdir/gtmsecshr 4700
root/root
W: fis-gtm-5.5.000: executable-is-not-world-readable
usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshrdir/gtmsecshr 4700
W: fis-gtm-5.5.000: non-standard-executable-perm
usr/lib/fis-gtm/V5.5-000_x86_64/gtmstart 0744 != 0755
W: fis-gtm-5.5.000: non-standard-executable-perm
usr/lib/fis-gtm/V5.5-000_x86_64/gtmstop 0744 != 0755
W: fis-gtm-5.5.000: executable-not-elf-or-script
usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_slist
W: fis-gtm-5.5.000: executable-not-elf-or-script
usr/lib/fis-gtm/V5.5-000_x86_64/gtmcshrc
W: fis-gtm-5.5.000: executable-not-elf-or-script
usr/lib/fis-gtm/V5.5-000_x86_64/gtmprofile
W: fis-gtm-5.5.000: executable-not-elf-or-script
usr/lib/fis-gtm/V5.5-000_x86_64/gtmprofile_preV54000
E: fis-gtm-5.5.000: shlib-with-executable-bit
usr/lib/fis-gtm/V5.5-000_x86_64/libgtmshr.so 0755
E: fis-gtm-5.5.000: shlib-with-executable-bit
usr/lib/fis-gtm/V5.5-000_x86_64/plugin/libgtmcrypt.so 0755
N: 1 tag overridden (1 warning)
Therefore:
A) we still have warnings with the scripts:
gtcm_slist
gtmcshrc
gtmprofile
gtmprofile_preV54000
[amul:1] Yaroslav (or was it Andreas?) suggested placing those
files into /etc/fis-gtm/V5.5-000_<ARCH> where ARCH is
either x86_64 or i686. Those files are contain the GT.M
environment configuration. The other option is change mode
those file to non-executable.
B) The two .so shared libraries, apparently shouldn't
have executable permissions. Any objection to
removing those executable permissions ?
[amul:1] That's weird. I thought if you can't exec a library, you
can't load it. A little giggling for an answer reveals that the
execute bit is not required. I tried the distribution without
the execute bit and it works.
http://serverfault.com/questions/173853/why-shared-libraries-on-linux-are-executable
I'll experiment removing those permissions as part
of the override_dh_fixperms.
Great news is that Yaroslav's finding of dh_fixperms
seems to be the solution to the struggle we were
having with the setuid ! :-)
Luis
_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
|