Bug 1228548

Summary: AUDIT-0: cockpit: move cockpit libexec binaries to /usr/lib/cockpit
Product: [openSUSE] PUBLIC SUSE Linux Enterprise Desktop 15 SP6 Reporter: Luna D Dragon <luna.dragon>
Component: SecurityAssignee: Wolfgang Frisch <wolfgang.frisch>
Status: RESOLVED FIXED QA Contact:
Severity: Normal    
Priority: P5 - None CC: wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1223533
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Luna D Dragon 2024-07-30 11:45:14 UTC 
cockpit has a set of hardcoded locations it searches for binaries such as cockpit-askpass. When it can't find these binaries it can result in bsc#1223533, to resolve this I changed the install location of these binaries to /usr/lib/cockpit but this change requires a audit from the security team. My changes to the rpm are here https://build.opensuse.org/package/show/home:ldragon:branches:openSUSE:Backports:SLE-15-SP6:Update/cockpit
Comment 1 Luna D Dragon 2024-07-30 11:50:20 UTC 
to be more specific this is the error that needs the whitelist
cockpit-ws.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib/cockpit/cockpit-session is packaged with setuid/setgid bits (04750)
Comment 2 Wolfgang Frisch 2024-07-30 13:01:16 UTC 
Thanks for the bug report.
I can take of this.
Comment 3 Matthias Gerstner 2024-07-30 13:12:04 UTC 
(In reply to luna.dragon@suse.com from comment #1)
> to be more specific this is the error that needs the whitelist
> cockpit-ws.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib/cockpit/cockpit-session is packaged with setuid/setgid bits (04750)

Shouldn't executables be placed into libexec instead?
Comment 4 Luna D Dragon 2024-07-30 13:26:35 UTC 
Leap 15 does not have /usr/libexec
Comment 5 Matthias Gerstner 2024-07-31 09:07:00 UTC 
(In reply to luna.dragon@suse.com from comment #4)
> Leap 15 does not have /usr/libexec

Ah, right, I thought this was for Tumbleweed.
Comment 6 Wolfgang Frisch 2024-07-31 11:48:22 UTC 
The whitelisting itself is trivial and already prepared, but we need to fork the "permissions" package for SLE-15-SP6 first, which may take a while.
Thank you for your patience.
Comment 9 Maintenance Automation 2024-08-06 16:30:46 UTC 
SUSE-RU-2024:2779-1: An update that has one fix can now be installed.

URL: https://www.suse.com/support/update/announcement/2024/suse-ru-20242779-1
Category: recommended (moderate)
Bug References: 1228548
Maintenance Incident: [SUSE:Maintenance:34930](https://smelt.suse.de/incident/34930/)
Sources used:
openSUSE Leap 15.6 (src):
 permissions-20240801-150600.10.4.1
Basesystem Module 15-SP6 (src):
 permissions-20240801-150600.10.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Wolfgang Frisch 2024-08-07 06:06:06 UTC 
Resolved.