From: | Ian Zimmerman <itz@×××××××.net> |
---|---|
To: | gentoo-user@l.g.o |
Subject: | [gentoo-user] setuid/setgid binaries, man-db security fix |
Date: | Tue, 13 Dec 2016 01:51:11 |
Message-Id: | 20161212223120.24287.055F9DE6@matica.foolinux.mooo.com |
1 | This morning I was pointed at [1] (by reading [2]). |
2 | |
3 | As far as I can see there has been no bug report about this in gentoo. |
4 | Should I file one now? It doesn't look like the fix can be easily |
5 | backported so probably it will just end up being merged with the rest of |
6 | the new version. But it may be worthwhile to mark it as a security |
7 | issue. |
8 | |
9 | More generally, I'm wondering about set*id binaries in gentoo. If I |
10 | don't want/need the particular feature thus provided, can I simply turn |
11 | off the set*id bit? That's what [3] recommends, but what about |
12 | upgrades? When a new version of the package is emerged, will the set*id |
13 | bit be turned back on? Will I have to remember turning it off forever? |
14 | dpkg has a feature (dpkg-statoverride) where a local admin can force |
15 | permissions on files shipped in packages, and such overrides "stick" |
16 | even across upgrades. Is there anything similar for gentoo? |
17 | |
18 | [1] |
19 | https://lists.nongnu.org/archive/html/man-db-announce/2016-12/msg00000.html |
20 | |
21 | [2] |
22 | http://www.chiark.greenend.org.uk/~cjwatson/blog/cve-2015-1336.html |
23 | |
24 | [3] |
25 | https://wiki.gentoo.org/wiki/Security_Handbook/File_permissions |
26 | |
27 | -- |
28 | Please *no* private Cc: on mailing lists and newsgroups |
29 | Personal signed mail: please _encrypt_ and sign |
30 | Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html |
Subject | Author |
---|---|
Re: [gentoo-user] setuid/setgid binaries, man-db security fix | John Covici <covici@××××××××××.com> |
Re: [gentoo-user] setuid/setgid binaries, man-db security fix | Jeremi Piotrowski <jeremi.piotrowski@×××××.com> |