snapcraft for maven project included setuid binary
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Snapcraft |
Fix Released
|
High
|
Sergio Schvezov | ||
Bug Description
I'm reporting this bug on behalf of someone in an email thread.
Currently, snaps are not allowed to ship setuid/setgid binaries. It isn't supported by the snappy install operation and the security policy does not allow CAP_SETUID and CAP_SETGID, so the review tools check for this to make sure everything is ok. (Perhaps one day we will want to support this, but IMO we should avoid this for as long as possible and very carefully think about how to support it (if at all) because things could get complicated in a hurry on a system like Ubuntu Personal.)
In that spirit, snapcraft for maven projects is pulling in fusermount and the review tools complains:
found errors in hashes.yaml: mode 'rwxr-xr-x' != 'rwsr-xr-x' for 'bin/fusermount', mode 'rwxr-xr-x' != 'rwsr-xr-x' for 'usr/lib/
Snapcraft should strip the setuid/setgid bits of any files before calling snappy build.
Related branches
- John Lenton (community): Approve
-
Diff: 139 lines (+58/-24)2 files modifiedsnapcraft/repo.py (+15/-2)
snapcraft/tests/test_repo.py (+43/-22)
| Changed in snapcraft: | |
| importance: | Undecided → High |
| Changed in snapcraft: | |
| milestone: | none → 0.3 |
| assignee: | nobody → Sergio Schvezov (sergiusens) |
| Changed in snapcraft: | |
| status: | New → Fix Committed |
| Changed in snapcraft: | |
| status: | Fix Committed → Fix Released |
