1 |
On Mon, 12 Dec 2016 17:46:31 -0500, |
2 |
Ian Zimmerman wrote: |
3 |
> |
4 |
> This morning I was pointed at [1] (by reading [2]). |
5 |
> |
6 |
> As far as I can see there has been no bug report about this in gentoo. |
7 |
> Should I file one now? It doesn't look like the fix can be easily |
8 |
> backported so probably it will just end up being merged with the rest of |
9 |
> the new version. But it may be worthwhile to mark it as a security |
10 |
> issue. |
11 |
> |
12 |
> More generally, I'm wondering about set*id binaries in gentoo. If I |
13 |
> don't want/need the particular feature thus provided, can I simply turn |
14 |
> off the set*id bit? That's what [3] recommends, but what about |
15 |
> upgrades? When a new version of the package is emerged, will the set*id |
16 |
> bit be turned back on? Will I have to remember turning it off forever? |
17 |
> dpkg has a feature (dpkg-statoverride) where a local admin can force |
18 |
> permissions on files shipped in packages, and such overrides "stick" |
19 |
> even across upgrades. Is there anything similar for gentoo? |
20 |
> |
21 |
> [1] |
22 |
> https://lists.nongnu.org/archive/html/man-db-announce/2016-12/msg00000.html |
23 |
> |
24 |
> [2] |
25 |
> http://www.chiark.greenend.org.uk/~cjwatson/blog/cve-2015-1336.html |
26 |
> |
27 |
> [3] |
28 |
> https://wiki.gentoo.org/wiki/Security_Handbook/File_permissions |
29 |
> |
30 |
|
31 |
I suppose you could automatically run a shell script in the post |
32 |
installation phase to fix the permissions. I need to do the opposite |
33 |
for one of the sendmail binaries. |
34 |
|
35 |
-- |
36 |
Your life is like a penny. You're going to lose it. The question is: |
37 |
How do |
38 |
you spend it? |
39 |
|
40 |
John Covici |
41 |
covici@××××××××××.com |