Closed Bug 673116 Opened 13 years ago Closed 13 years ago

Wrong file ownership in debian package

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Platform:
All
Maemo
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
Firefox 8

People

(Reporter: jbos, Assigned: jbos)

Details

Attachments

(1 file, 4 obsolete files)

This should be it.
1.80 KB, patch
romaxa
: review+
Details | Diff | Splinter Review 
Fennecs "make deb" is missing some fakeroot's which cause that the files in the maemo debian package are in ownership and group of the user who is calling make deb.

For Fennec on n900 this is some user 500 in group 500, all files installed on N900 are with that ownership which could cause a security issue. They should be root/root

In MeeGo / Harmattan Context this issue is causing that fennec can not be installed at all, since the "root-user" does not have enough permissions.
Also for MeeGo / Harmattan Fennec is missing the needed aegis security manifest and signing. 

The attached patch fixes those issues.
How is this an attack vector ?
Well, maybe i get it wrong but you could simply create such an user "500/500" and alter fennec files in n900,
Group: core-security
Attachment #547396 - Flags: review?(romaxa)
Comment on attachment 547396 [details] [diff] [review]
fix maemo fakeroot issue and attach aegis security manifest for maemo 6

By some reason Brad did not add this in the beginning, would be nice to know why...

http://hg.mozilla.org/mozilla-central/rev/06b737a2f360
Attachment #547396 - Flags: review?(romaxa)
Attachment #547396 - Flags: review?(blassey.bugs)
Attachment #547396 - Flags: review+
Comment on attachment 547396 [details] [diff] [review]
fix maemo fakeroot issue and attach aegis security manifest for maemo 6

Review of attachment 547396 [details] [diff] [review]:
-----------------------------------------------------------------

no, no reason
Attachment #547396 - Flags: review?(blassey.bugs) → review+
I think we need to add small trick here, and make possible to build with maemo6 define on meego platform... please add small check and ignore aegis if that is not available
I think we should add aegis MK define... and check it on configure stage...
please add new version
Comment on attachment 547396 [details] [diff] [review]
fix maemo fakeroot issue and attach aegis security manifest for maemo 6

set this r-, and wait for newer version which does not break non-aegis enabled environment..
Attachment #547396 - Flags: review+ → review-
I set aegis to contentmanager only as we only need it there to access tracker for the file path.
Attachment #549377 - Flags: review?(romaxa)
Comment on attachment 549377 [details] [diff] [review]
Check for aegis only in case you want to use harmattan CONTENTMANAGER


> 		debian/fennec.preinst \
> 		debian/fennec.prerm \
> 		debian/fennec.postinst \
>+		debian/fennec.aegis \
> 		$(NULL)
should not it be also part of define?
updated
Attachment #549377 - Attachment is obsolete: true
Attachment #549809 - Flags: review?(romaxa)
Attachment #549377 - Flags: review?(romaxa)
Comment on attachment 549809 [details] [diff] [review]
Check for aegis only in case you want to use harmattan CONTENTMANAGER


> 		debian/fennec.preinst \
> 		debian/fennec.prerm \
> 		debian/fennec.postinst \
>+ifdef MOZ_ENABLE_CONTENTMANAGER
>+		debian/fennec.aegis \
>+endif
> 		$(NULL)

I think better style here is:

+ifdef MOZ_ENABLE_CONTENTMANAGER
+PP_DEB_FILES += debian/fennec.aegis \
+ 		$(NULL)
+endif
(In reply to comment #11)
> Comment on attachment 549809 [details] [diff] [review] [diff] [details] [review]
> Check for aegis only in case you want to use harmattan CONTENTMANAGER
> 
> 
> > 		debian/fennec.preinst \
> > 		debian/fennec.prerm \
> > 		debian/fennec.postinst \
> >+ifdef MOZ_ENABLE_CONTENTMANAGER
> >+		debian/fennec.aegis \
> >+endif
> > 		$(NULL)
> 
> I think better style here is:
> 
> +ifdef MOZ_ENABLE_CONTENTMANAGER
> +PP_DEB_FILES += debian/fennec.aegis \
> + 		$(NULL)
> +endif

Agreed. Please use Oleg's style.
Attached patch nicer style (obsolete) — Splinter Review 

        Attachment #549809 -
        Attachment is obsolete: true

        Attachment #549819 -
        Flags: review?(romaxa)

        Attachment #549809 -
        Flags: review?(romaxa)

    
    

    
  
Comment on attachment 549819 [details] [diff] [review]
nicer style

> MApplicationPage * MeegoFilePicker::createOpenFilePage()
> {
>     QStringList itemType("http://www.semanticdesktop.org/ontologies/2007/03/22/nfo#FileDataObject");
>-    SelectSingleContentItemPage * page = new SelectSingleContentItemPage(QString(),itemType);
>+    SelectSingleContentItemPage * page = new SelectSingleContentItemPage(QString("mp3 mp4 avi acc jpg jpeg png bmp ogg webm"),itemType);
> 
>     connect(page, SIGNAL(contentItemSelected(const QString &)),
>             this, SLOT  (contentItemSelected(const QString &)));
epr... this I guess not related to this patch ... ;)

    
    

    
  
mhm very odd :O how did this end up here O:-)  ... it should be in the other patch mmmm.

    
    

    
  


  

        Attachment #549819 -
        Attachment is obsolete: true

        Attachment #549819 -
        Flags: review?(romaxa)

    
  

        Attachment #550024 -
        Flags: review?(romaxa)

        Attachment #550024 -
        Flags: review?(romaxa) → review+

        Attachment #547396 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 550024 [details] [diff] [review]
This should be it.

>diff -r d89aeb235076 mobile/installer/Makefile.in
>+ifdef MOZ_ENABLE_CONTENTMANAGER
>+PP_DEB_FILES += debian/fennec.aegis \
>+               $(NULL)
>+endif 

I fixed the end-of-line whitespace in the last line of the chunk above, and landed:
  http://hg.mozilla.org/integration/mozilla-inbound/rev/838b538e5b4a

jbos: for future reference, it's best if you can include a checkin message in the patch headers.  In this case, I made one up based on summary / comment 0 / glancing at the patch -- I hope it's accurate enough. :)
Keywords: checkin-needed
Whiteboard: [inbound]
Assignee: nobody → jeremias.bosch
Target Milestone: --- → Firefox 8

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/838b538e5b4a
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [inbound]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: