925512 – sys-process/fcron-3.3.1-r2 installs system executables owned by nonzero uid

Bug 925512 - sys-process/fcron-3.3.1-r2 installs system executables owned by nonzero uid

Summary: sys-process/fcron-3.3.1-r2 installs system executables owned by nonzero uid

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Alexey

URL:
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2024-02-25 20:13 UTC by Agostino Sarubbo
Modified:	2025-02-08 10:01 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/39940
Package list:
Runtime testing required:	---

Attachments
build.log (build.log,77.25 KB, text/plain) 2024-02-25 20:13 UTC, Agostino Sarubbo	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2024-02-25 20:13:42 UTC

https://blogs.gentoo.org/ago/2020/07/04/gentoo-tinderbox/

Issue: sys-process/fcron-3.3.1 installs system executables owned by nonzero uid.
Discovered on: arm64 (internal ref: tinderbox_arm64)
System: GCC-14-SYSTEM (https://wiki.gentoo.org/wiki/Project:Tinderbox/Common_Issues_Helper#GCC-14)

Comment 1 Agostino Sarubbo gentoo-dev

2024-02-25 20:13:43 UTC

Created attachment 886003 [details]
build.log

build log and emerge --info

Comment 2 Alexey 2024-03-04 01:52:14 UTC

This is intended. Otherwise we either get this error when running crontab:

ERROR could not change euid to 999: Operation not permitted

Or this file is suid with root, which is much worse.

Comment 3 Agostino Sarubbo gentoo-dev

2024-03-09 14:40:07 UTC

ci has reproduced this issue with version 3.3.1-r1 - Updating summary.

Comment 4 Agostino Sarubbo gentoo-dev

2024-12-15 18:47:45 UTC

ci has reproduced this issue with version 3.3.1-r2 - Updating summary.

Comment 5 Larry the Git Cow gentoo-dev

2025-02-08 10:01:11 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=527fdd525030c58585c781badf76736d7f872c72

commit 527fdd525030c58585c781badf76736d7f872c72
Author:     Alexey Sokolov <alexey+gentoo@asokolov.org>
AuthorDate: 2025-01-02 00:24:25 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2025-02-08 10:00:25 +0000

    sys-process/fcron: add 3.3.2
    
    Simplify src_install by reusing upstream's make install
    
    Closes: https://bugs.gentoo.org/925512
    Signed-off-by: Alexey Sokolov <alexey+gentoo@asokolov.org>
    Closes: https://github.com/gentoo/gentoo/pull/39940
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 sys-process/fcron/Manifest                       |   1 +
 sys-process/fcron/fcron-3.3.2.ebuild             | 256 +++++++++++++++++++++++
 sys-process/fcron/files/fcron-3.3.2-time_t.patch |  22 ++
 3 files changed, 279 insertions(+)