Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

APT whitelist request for cvs #153

Open
henryju opened this issue Jul 22, 2015 · 6 comments
Open

APT whitelist request for cvs #153

henryju opened this issue Jul 22, 2015 · 6 comments
Labels
apt-safelist-check-run apt-whitelist-check-run

Comments

@henryju
Copy link

henryju commented Jul 22, 2015

Needed to run ITs for https://github.com/SonarCommunity/sonar-scm-cvs
BanzaiMan added a commit to travis-ci/apt-whitelist-checker that referenced this issue Jul 23, 2015
@BanzaiMan
Run test for travis-ci/apt-package-safelist#153.
5455e1b
@BanzaiMan
Copy link
Contributor

Ran tests and found setuid bits. See https://travis-ci.org/travis-ci/apt-whitelist-checker/builds/72229229.

@henryju
Copy link
Author

henryju commented Jul 23, 2015

I may be wrong but I feel this is not blocker:
http://arthurdejong.org/cvsd/faq.html#setgid

If my understanding is correct, under some situations cvs may try to use setuid. I guess it will fail in travis container for security reason. If this occurs I think this can be solved on user side by using appropriate configuration... Is there a way to do a test?

BanzaiMan added a commit to travis-ci/apt-whitelist-checker that referenced this issue Jul 23, 2015
@BanzaiMan
Run test for travis-ci/apt-package-safelist#153.
5ea9047
@tarzanek
Copy link

I'd need cvs for {OpenGrok, too
https://travis-ci.org/tarzanek/OpenGrok/builds/72817104
tia!
L

@tarzanek
Copy link

tarzanek commented Oct 6, 2015

@BanzaiMan can this be added?
per your run it seems setguid behaviour here will properly be ignored, if no permissions were given ...
so I'd say it looks safe, @henryju already explained the details and they basically fit the code found by your checkers ...

@ustuehler ustuehler mentioned this issue Oct 29, 2015
Closed
@ustuehler
Copy link

cvs is also required for https://github.com/ustuehler/git-cvs. What's keeping it from being whitelisted? No setgid bit is set on the installed binaries:

$ ls -ld `dpkg -L cvs` | grep bin/
-rwxr-xr-x    1 root root 816368 Feb 17  2014 /usr/bin/cvs
-rwxr-xr-x    1 root root   2527 Feb 17  2014 /usr/bin/cvs-switchroot

BanzaiMan pushed a commit to travis-ci/apt-whitelist-checker that referenced this issue Oct 11, 2018
Run test for travis-ci/apt-package-safelist#153 in dist precise. (cvs)
7975415
travisbot pushed a commit to travis-ci/apt-whitelist-checker that referenced this issue Oct 12, 2018
Run test for travis-ci/apt-package-safelist#153 in dist precise. (cvs)
19b0521
travisbot pushed a commit that referenced this issue Oct 12, 2018
Add cvs in precise to ubuntu-precise; resolves #153
f24e0e8 
Packages: cvs
@travisbot travisbot mentioned this issue Oct 12, 2018
Open
@travisbot
Copy link

This is an automated comment.

Ran tests and found setuid bits by purely textual search. Further analysis is required.

If these are found to be benign, examine http://github.com/travis-ci/apt-package-whitelist/compare/test-apt-package-whitelist-153 and its PR.

Packages found: cvs

See https://travis-ci.org/travis-ci/apt-whitelist-checker/builds/440489549 for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
apt-safelist-check-run apt-whitelist-check-run
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@BanzaiMan @henryju @tarzanek @ustuehler @travisbot