Luis, Thanks! Comments below as [amul:1] On 07/04/12 14:08, Luis Ibanez wrote: > Amul, > > Thanks for making the changes in the Git repository. > > In order to match that new version: > > 1) I modified changlog to pull : 57f2d896697 > 2) Removed the insertion of shebang lines from the "rules" file. > 3) Removed the incorrect setuid attempt from the "rules" file. > 4) Inserted an override_dh_fixperms in the "rules" file. > > Then, building with debuild, returns: > > Now running lintian... > W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/dse > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/dse > W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/ftok > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/ftok > W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/geteuid > W: fis-gtm-5.5.000: hardening-no-relro > usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_gnp_server > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_gnp_server > W: fis-gtm-5.5.000: hardening-no-relro > usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_pkdisp > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_pkdisp > W: fis-gtm-5.5.000: hardening-no-relro > usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_play > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_play > W: fis-gtm-5.5.000: hardening-no-relro > usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_server > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_server > W: fis-gtm-5.5.000: hardening-no-relro > usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_shmclean > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_shmclean > W: fis-gtm-5.5.000: hardening-no-relro > usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshr > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshr > W: fis-gtm-5.5.000: hardening-no-relro > usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshrdir/gtmsecshr > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshrdir/gtmsecshr > W: fis-gtm-5.5.000: hardening-no-relro > usr/lib/fis-gtm/V5.5-000_x86_64/libgtmshr.so > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/libgtmshr.so > W: fis-gtm-5.5.000: shared-lib-without-dependency-information > usr/lib/fis-gtm/V5.5-000_x86_64/libgtmutil.so > W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/lke > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/lke > W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/mumps > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/mumps > W: fis-gtm-5.5.000: hardening-no-relro usr/lib/fis-gtm/V5.5-000_x86_64/mupip > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/mupip > W: fis-gtm-5.5.000: hardening-no-relro > usr/lib/fis-gtm/V5.5-000_x86_64/plugin/gtmcrypt/maskpass > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/plugin/gtmcrypt/maskpass > W: fis-gtm-5.5.000: hardening-no-relro > usr/lib/fis-gtm/V5.5-000_x86_64/plugin/libgtmcrypt.so > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/plugin/libgtmcrypt.so > W: fis-gtm-5.5.000: hardening-no-relro > usr/lib/fis-gtm/V5.5-000_x86_64/semstat2 > W: fis-gtm-5.5.000: hardening-no-fortify-functions > usr/lib/fis-gtm/V5.5-000_x86_64/semstat2 > W: fis-gtm-5.5.000: shared-lib-without-dependency-information > usr/lib/fis-gtm/V5.5-000_x86_64/utf8/libgtmutil.so > W: fis-gtm-5.5.000: non-standard-executable-perm > usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_run 0744 != 0755 > W: fis-gtm-5.5.000: non-standard-executable-perm > usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_slist 0744 != 0755 > W: fis-gtm-5.5.000: setuid-binary usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshr > 4755 root/root > W: fis-gtm-5.5.000: non-standard-dir-perm > usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshrdir/ 0700 != 0755 > W: fis-gtm-5.5.000: setuid-binary > usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshrdir/gtmsecshr 4700 root/root > W: fis-gtm-5.5.000: executable-is-not-world-readable > usr/lib/fis-gtm/V5.5-000_x86_64/gtmsecshrdir/gtmsecshr 4700 > W: fis-gtm-5.5.000: non-standard-executable-perm > usr/lib/fis-gtm/V5.5-000_x86_64/gtmstart 0744 != 0755 > W: fis-gtm-5.5.000: non-standard-executable-perm > usr/lib/fis-gtm/V5.5-000_x86_64/gtmstop 0744 != 0755 > W: fis-gtm-5.5.000: executable-not-elf-or-script > usr/lib/fis-gtm/V5.5-000_x86_64/gtcm_slist > W: fis-gtm-5.5.000: executable-not-elf-or-script > usr/lib/fis-gtm/V5.5-000_x86_64/gtmcshrc > W: fis-gtm-5.5.000: executable-not-elf-or-script > usr/lib/fis-gtm/V5.5-000_x86_64/gtmprofile > W: fis-gtm-5.5.000: executable-not-elf-or-script > usr/lib/fis-gtm/V5.5-000_x86_64/gtmprofile_preV54000 > E: fis-gtm-5.5.000: shlib-with-executable-bit > usr/lib/fis-gtm/V5.5-000_x86_64/libgtmshr.so 0755 > E: fis-gtm-5.5.000: shlib-with-executable-bit > usr/lib/fis-gtm/V5.5-000_x86_64/plugin/libgtmcrypt.so 0755 > N: 1 tag overridden (1 warning) > > Therefore: > > A) we still have warnings with the scripts: > > gtcm_slist > gtmcshrc > gtmprofile > gtmprofile_preV54000 [amul:1] Yaroslav (or was it Andreas?) suggested placing those files into /etc/fis-gtm/V5.5-000_<ARCH> where ARCH is either x86_64 or i686. Those files are contain the GT.M environment configuration. The other option is change mode those file to non-executable.
> > > B) The two .so shared libraries, apparently shouldn't > have executable permissions. Any objection to > removing those executable permissions ? [amul:1] That's weird. I thought if you can't exec a library, you can't load it. A little giggling for an answer reveals that the execute bit is not required. I tried the distribution without the execute bit and it works. http://serverfault.com/questions/173853/why-shared-libraries-on-linux-are-executable > > I'll experiment removing those permissions as part > of the override_dh_fixperms. > > > Great news is that Yaroslav's finding of dh_fixperms > seems to be the solution to the struggle we were > having with the setuid ! :-) > > > > Luis > > _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
