[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Any progress with FIS GT.M?

On Wed, Jul 4, 2012 at 2:08 PM, Luis Ibanez <luis.ibanez@kitware.com> wrote:
 

Great news is that Yaroslav's finding of dh_fixperms
seems to be the solution to the struggle we were
having with the setuid  !        :-)



An Update on this front:

Overriding dh_fixperms is working great
for the local build with "debuild".

The remaining lintian message here are:

dpkg-buildpackage: full upload (original source is included)
Now running lintian...
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/dse
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/dse
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/ftok
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/ftok
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/geteuid
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_gnp_server
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_gnp_server
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_pkdisp
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_pkdisp
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_play
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_play
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_server
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_server
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_shmclean
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_shmclean
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshr
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshr
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshrdir/gtmsecshr
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshrdir/gtmsecshr
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/libgtmshr.so
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/libgtmshr.so
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/lke
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/lke
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/mumps
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/mumps
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/mupip
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/mupip
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/plugin/gtmcrypt/maskpass
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/plugin/gtmcrypt/maskpass
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/plugin/libgtmcrypt.so
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/plugin/libgtmcrypt.so
W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/semstat2
W: fis-gtm-5.5.000: hardening-no-fortify-functions usr/lib/fis-gtm/V5.5-000_x86_64/semstat2
W: fis-gtm-5.5.000: setuid-binary usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshr 4755 root/root
N: 3 tags overridden (3 warnings)
Finished running lintian.




We are now tracking the problem with cowbuilder
and the chroot environment. Where the lintian errors
start with:

lintian fis-gtm-5.5.000_5.5-000+git109-g57f2d89-1_amd64.deb
/bin/tar: ./usr/lib/fis-gtm/V5.5-000_x86_64/utf8/gtmhlpld.m: Cannot open: Permission denied
/bin/tar: ./usr/lib/fis-gtm/V5.5-000_x86_64/utf8/_GD.m: Cannot open: Permission denied
/bin/tar: ./usr/lib/fis-gtm/V5.5-000_x86_64/utf8/gtm_limits.h: Cannot open: Permission denied
/bin/tar: ./usr/lib/fis-gtm/V5.5-000_x86_64/utf8/_rse.m: Cannot open: Permission denied

[...]


The interesting features about them are:

1) The error comes from /bin/tar
2) Is only for files in the "utf8" subdirectory
3) If one installs that package,
3.1) all the file in the utf8 subdirectory
        have permissions: "rwxrwxrwx"
3.2) none of the files in
       ./usr/lib/fis-gtm/V5.5-000_x86_64
      have executable permissions.


It is starting to look like the dh_fixperms applies more
stringent rules when run inside the cowbuilder environment.
(maybe a different version of the rules ..?)

I'm starting to wonder if the removal of execution
permissions is in part due to the fact that we are
placing all these files inside /usr/lib/fis-gtm as
opposed to /usr/bin/fis-gtm...


I'm now going to try setting up a full Debian
installation with unstable (as opposed to my
partial update) to have something in between
the local debuild process and the one that is
created by cowbuilder.


    Luis


Reply to: