114049 2005-11-30 09:56 0000 kde ebuilds installing applications with the setuid bit on fail with FEATURES="-stricter" 2005-12-11 07:00:51 0000 1 1 1 Unclassified Gentoo Linux KDE unspecified All Linux RESOLVED FIXED kde-base/kdesu done; kde-base/kcheckpass done; kde-base/kdebase done P2 normal --- 113934 113937 1 betelgeuse@gentoo.org kde@gentoo.org betelgeuse@gentoo.org 2005-11-30 09:56:29 0000 Because it seems to be a common to many kde ebuilds, I will not file new bugs for every ebuild but instead list them here. The two separate bugs I already filed I will leave open. strip: i686-pc-linux-gnu-strip --strip-unneeded usr/kde/3.5/bin/kdesu usr/kde/3.5/bin/kdesud QA Notice: the following files are setXid, dyn linked, and using lazy bindings This combination is generally discouraged. Try re-emerging the package: LDFLAGS='-Wl,-z,now' emerge kdesu LAZY usr/kde/3.5/bin/kdesud !!! ERROR: kde-base/kdesu-3.5.0 failed. betelgeuse@gentoo.org 2005-11-30 10:44:33 0000 QA Notice: the following files are setXid, dyn linked, and using lazy bindings This combination is generally discouraged. Try re-emerging the package: LDFLAGS='-Wl,-z,now' emerge kcheckpass LAZY usr/kde/3.5/bin/kcheckpass !!! ERROR: kde-base/kcheckpass-3.5.0 failed. greg_g@gentoo.org 2005-12-05 05:50:44 0000 Is there some documentation on this issue? It would be easy to add an append-flags to the eclass, but maybe it could be better to report it directly upstream, if it really has some impact on security? flameeyes@gentoo.org 2005-12-08 17:43:21 0000 To report it upstream, I'd suggest to use at least the m4 I started developing for Gentoo/ALT that supports also Solaris's LD (that use the same syntax, btw) and the one from MacOSX. Other than the, the fixes shouldn't happen unconditionally, I think; I've patched arts and I'll see to patch the rest, but I set the right flags from the ebuild via the BINDNOW_FLAGS variable using $(bindnow-flags); it does the same that the m4 would do if it was used. If you want to push this upstream, maybe you can try to contact Dirk Mueller.. I sure won't do it :) Give me time and I'll see to fix it piece by piece.. but it takes time waiting for kdelibs rebuild for example. flameeyes@gentoo.org 2005-12-09 01:13:14 0000 Let's start, I'll use status whiteboard to track changes.. flameeyes@gentoo.org 2005-12-09 01:46:12 0000 Greg, I've committed kde-base/kdebase with the two patches, tested unpack and they apply, I don't have a monolithic setup at hand, tho, so if you can give that a try, please then close this bug, thanks :) betelgeuse@gentoo.org 2005-12-10 07:04:49 0000 So I decided to go on and find the rest of setuid stuff. Here we go for kdenetwork: QA Notice: the following files are setXid, dyn linked, and using lazy bindings This combination is generally discouraged. Try re-emerging the package: LDFLAGS='-Wl,-z,now' emerge kdenetwork LAZY usr/kde/3.5/bin/kppp LAZY usr/kde/3.5/bin/reslisa betelgeuse@gentoo.org 2005-12-11 03:05:01 0000 I have now done emerge kde with some ebuild from split and most from monolithic packages with most USE flags on so most of the setuid programs from KDE itself (not counting external stuff like amarok) should now be listed here. flameeyes@gentoo.org 2005-12-11 05:28:24 0000 Fixed then.. in the future you might consider not to use stricter anyway, as solar said, it's supposed that most ebuilds does not build with it. While the QA is always a good idea, also for support of non-glibc non-uclibc libraries, they intend to fix them on libc level, without requiring -znow linking on binaries. betelgeuse@gentoo.org 2005-12-11 07:00:51 0000 Well stricter also catches other stuff, but I can leave the setuid bit tests out.