| 1 |
On 07/29/2018 03:43 PM, Ulrich Mueller wrote: |
| 2 |
> |
| 3 |
>> On a "normal" system, there is no good reason why the superuser should |
| 4 |
>> not own every system executable. This commit adds a new install-time |
| 5 |
>> check that reports any such binaries with a QA warning. To avoid false |
| 6 |
>> positives, non-"normal" systems (like prefix) are skipped at the moment. |
| 7 |
> |
| 8 |
> Shouldn't this check for setuid binaries like /usr/bin/mandb (which is |
| 9 |
> owned by man:man)? I think these are legitimate usage case. |
| 10 |
> |
| 11 |
|
| 12 |
After thinking about this for a while, I think we should ignore setgid |
| 13 |
but not setuid executables. The problem with setuid and a non-root owner |
| 14 |
is that the owner can always exploit the situation: |
| 15 |
|
| 16 |
Suppose /bin/foo is owned by "foo" and setuid. If root (or any other |
| 17 |
privileged user) is about to run /bin/foo, then the "foo" user can |
| 18 |
simply strip away the setuid bit and fill /bin/foo with malicious code. |
| 19 |
|
| 20 |
The same situation with setgid is safe because (as far as I know) |
| 21 |
members of the group can't strip off the setgid bit. |
Archives