Gentoo Archives: gentoo-user

From:	Ian Zimmerman <itz@×××××××.net>
To:	gentoo-user@l.g.o
Subject:	[gentoo-user] setuid/setgid binaries, man-db security fix
Date:	Tue, 13 Dec 2016 01:51:11
Message-Id:	`20161212223120.24287.055F9DE6@matica.foolinux.mooo.com`

1	This morning I was pointed at [1] (by reading [2]).
2
3	As far as I can see there has been no bug report about this in gentoo.
4	Should I file one now? It doesn't look like the fix can be easily
5	backported so probably it will just end up being merged with the rest of
6	the new version. But it may be worthwhile to mark it as a security
7	issue.
8
9	More generally, I'm wondering about set*id binaries in gentoo. If I
10	don't want/need the particular feature thus provided, can I simply turn
11	off the set*id bit? That's what [3] recommends, but what about
12	upgrades? When a new version of the package is emerged, will the set*id
13	bit be turned back on? Will I have to remember turning it off forever?
14	dpkg has a feature (dpkg-statoverride) where a local admin can force
15	permissions on files shipped in packages, and such overrides "stick"
16	even across upgrades. Is there anything similar for gentoo?
17
18	[1]
19	https://lists.nongnu.org/archive/html/man-db-announce/2016-12/msg00000.html
20
21	[2]
22	http://www.chiark.greenend.org.uk/~cjwatson/blog/cve-2015-1336.html
23
24	[3]
25	https://wiki.gentoo.org/wiki/Security_Handbook/File_permissions
26
27	--
28	Please no private Cc: on mailing lists and newsgroups
29	Personal signed mail: please _encrypt_ and sign
30	Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html

Subject	Author
Re: [gentoo-user] setuid/setgid binaries, man-db security fix	John Covici <covici@××××××××××.com>
Re: [gentoo-user] setuid/setgid binaries, man-db security fix	Jeremi Piotrowski <jeremi.piotrowski@×××××.com>