From: | Michael Orlitzky <mjo@g.o> | ||
---|---|---|---|
To: | gentoo-portage-dev@l.g.o | ||
Subject: | Re: [gentoo-portage-dev] [PATCH 1/2] bin/install-qa-check.d: add new 90bad-bin-owner QA check. | ||
Date: | Sun, 29 Jul 2018 20:33:33 | ||
Message-Id: | 22f0653c-9db1-c5d4-86e8-bba93d3d8595@gentoo.org | ||
In Reply to: | Re: [gentoo-portage-dev] [PATCH 1/2] bin/install-qa-check.d: add new 90bad-bin-owner QA check. by Ulrich Mueller |
1 | On 07/29/2018 03:43 PM, Ulrich Mueller wrote: |
2 | > |
3 | > Shouldn't this check for setuid binaries like /usr/bin/mandb (which is |
4 | > owned by man:man)? I think these are legitimate usage case. |
5 | > |
6 | |
7 | In general, yeah. I think we should be skeptical of setuid/gid |
8 | executables, but this isn't the right place to make that stand. |
9 | |
10 | In this specific case, though, I don't see why that program is setuid. |
11 | In fact, I'm pretty sure it lets the "man" user gain root privileges. |