Archives
Archives
| From: | Michael Orlitzky <mjo@g.o> | ||
|---|---|---|---|
| To: | gentoo-portage-dev@l.g.o | ||
| Subject: | Re: [gentoo-portage-dev] [PATCH 1/2] bin/install-qa-check.d: add new 90bad-bin-owner QA check. | ||
| Date: | Sun, 29 Jul 2018 20:33:33 | ||
| Message-Id: | 22f0653c-9db1-c5d4-86e8-bba93d3d8595@gentoo.org | ||
| In Reply to: | Re: [gentoo-portage-dev] [PATCH 1/2] bin/install-qa-check.d: add new 90bad-bin-owner QA check. by Ulrich Mueller |
||
| 1 | On 07/29/2018 03:43 PM, Ulrich Mueller wrote: |
| 2 | > |
| 3 | > Shouldn't this check for setuid binaries like /usr/bin/mandb (which is |
| 4 | > owned by man:man)? I think these are legitimate usage case. |
| 5 | > |
| 6 | |
| 7 | In general, yeah. I think we should be skeptical of setuid/gid |
| 8 | executables, but this isn't the right place to make that stand. |
| 9 | |
| 10 | In this specific case, though, I don't see why that program is setuid. |
| 11 | In fact, I'm pretty sure it lets the "man" user gain root privileges. |