On Mon, 2008-04-14 at 15:46 -0400, Chuck Anderson wrote:
> Why is this program set-uid root?
>
> ls -l /usr/lib/nspluginwrapper/plugin-config
> -rwsr-xr-x 1 root root 60048 2008-03-11
> 10:02 /usr/lib/nspluginwrapper/plugin-config*
>
> https://bugzilla.redhat.com/show_bug.cgi?id=442065
Probably so that it can create files in /usr/lib/mozilla when a user
downloads a plugin via their browser.
--
Jesse Keating
Fedora -- All my bits are free, are yours?
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
On Mon, Apr 14, 2008 at 03:57:56PM -0400, Jesse Keating wrote:
> On Mon, 2008-04-14 at 15:46 -0400, Chuck Anderson wrote:
> > Why is this program set-uid root?
> >
> > ls -l /usr/lib/nspluginwrapper/plugin-config
> > -rwsr-xr-x 1 root root 60048 2008-03-11
> > 10:02 /usr/lib/nspluginwrapper/plugin-config*
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=442065
>
> Probably so that it can create files in /usr/lib/mozilla when a user
> downloads a plugin via their browser.
That just seems wrong. If a user can download a plugin, it should be
put in ~/.mozilla/plugins. A user shouldn't be able to force a plugin
into a system-wide directory.
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
On Mon, 2008-04-14 at 16:01 -0400, Chuck Anderson wrote:
> On Mon, Apr 14, 2008 at 03:57:56PM -0400, Jesse Keating wrote:
> > On Mon, 2008-04-14 at 15:46 -0400, Chuck Anderson wrote:
> > > Why is this program set-uid root?
> > >
> > > ls -l /usr/lib/nspluginwrapper/plugin-config
> > > -rwsr-xr-x 1 root root 60048 2008-03-11
> > > 10:02 /usr/lib/nspluginwrapper/plugin-config*
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=442065
> >
> > Probably so that it can create files in /usr/lib/mozilla when a user
> > downloads a plugin via their browser.
>
> That just seems wrong. If a user can download a plugin, it should be
> put in ~/.mozilla/plugins. A user shouldn't be able to force a plugin
> into a system-wide directory.
I didn't say it was right, just what I thought was happening.
--
Jesse Keating
Fedora -- All my bits are free, are yours?
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
> On Mon, Apr 14, 2008 at 03:57:56PM -0400, Jesse Keating wrote:
> > On Mon, 2008-04-14 at 15:46 -0400, Chuck Anderson wrote:
> > > Why is this program set-uid root?
> > >
> > > ls -l /usr/lib/nspluginwrapper/plugin-config
> > > -rwsr-xr-x 1 root root 60048 2008-03-11
> > > 10:02 /usr/lib/nspluginwrapper/plugin-config*
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=442065
> >
> > Probably so that it can create files in /usr/lib/mozilla when a user
> > downloads a plugin via their browser.
>
> That just seems wrong. If a user can download a plugin, it should be
> put in ~/.mozilla/plugins. A user shouldn't be able to force a plugin
> into a system-wide directory.
See https://bugzilla.redhat.com/show_bug.cgi?id=334311 for more history on
it
later,
chris
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
On Mon, 2008-04-14 at 16:08 -0400, Chris Ricker wrote:
> On Mon, 14 Apr 2008, Chuck Anderson wrote:
>
> > On Mon, Apr 14, 2008 at 03:57:56PM -0400, Jesse Keating wrote:
> > > On Mon, 2008-04-14 at 15:46 -0400, Chuck Anderson wrote:
> > > > Why is this program set-uid root?
> > > >
> > > > ls -l /usr/lib/nspluginwrapper/plugin-config
> > > > -rwsr-xr-x 1 root root 60048 2008-03-11
> > > > 10:02 /usr/lib/nspluginwrapper/plugin-config*
> > > >
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=442065
> > >
> > > Probably so that it can create files in /usr/lib/mozilla when a user
> > > downloads a plugin via their browser.
> >
> > That just seems wrong. If a user can download a plugin, it should be
> > put in ~/.mozilla/plugins. A user shouldn't be able to force a plugin
> > into a system-wide directory.
>
> See https://bugzilla.redhat.com/show_bug.cgi?id=334311 for more history on
> it
Does it have its own domain in policy so that it is at least confined to
only those capabilities it requires and only to access those files it
requires?
Although that won't help from default user shell of unconfined_t.
--
Stephen Smalley
National Security Agency
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
set-uid root /usr/lib/nspluginwrapper/plugin-config
