1 |
On 07/29/2018 03:43 PM, Ulrich Mueller wrote: |
2 |
> |
3 |
>> On a "normal" system, there is no good reason why the superuser should |
4 |
>> not own every system executable. This commit adds a new install-time |
5 |
>> check that reports any such binaries with a QA warning. To avoid false |
6 |
>> positives, non-"normal" systems (like prefix) are skipped at the moment. |
7 |
> |
8 |
> Shouldn't this check for setuid binaries like /usr/bin/mandb (which is |
9 |
> owned by man:man)? I think these are legitimate usage case. |
10 |
> |
11 |
|
12 |
After thinking about this for a while, I think we should ignore setgid |
13 |
but not setuid executables. The problem with setuid and a non-root owner |
14 |
is that the owner can always exploit the situation: |
15 |
|
16 |
Suppose /bin/foo is owned by "foo" and setuid. If root (or any other |
17 |
privileged user) is about to run /bin/foo, then the "foo" user can |
18 |
simply strip away the setuid bit and fill /bin/foo with malicious code. |
19 |
|
20 |
The same situation with setgid is safe because (as far as I know) |
21 |
members of the group can't strip off the setgid bit. |