| 1 |
On Mon, 12 Dec 2016 17:46:31 -0500, |
| 2 |
Ian Zimmerman wrote: |
| 3 |
> |
| 4 |
> This morning I was pointed at [1] (by reading [2]). |
| 5 |
> |
| 6 |
> As far as I can see there has been no bug report about this in gentoo. |
| 7 |
> Should I file one now? It doesn't look like the fix can be easily |
| 8 |
> backported so probably it will just end up being merged with the rest of |
| 9 |
> the new version. But it may be worthwhile to mark it as a security |
| 10 |
> issue. |
| 11 |
> |
| 12 |
> More generally, I'm wondering about set*id binaries in gentoo. If I |
| 13 |
> don't want/need the particular feature thus provided, can I simply turn |
| 14 |
> off the set*id bit? That's what [3] recommends, but what about |
| 15 |
> upgrades? When a new version of the package is emerged, will the set*id |
| 16 |
> bit be turned back on? Will I have to remember turning it off forever? |
| 17 |
> dpkg has a feature (dpkg-statoverride) where a local admin can force |
| 18 |
> permissions on files shipped in packages, and such overrides "stick" |
| 19 |
> even across upgrades. Is there anything similar for gentoo? |
| 20 |
> |
| 21 |
> [1] |
| 22 |
> https://lists.nongnu.org/archive/html/man-db-announce/2016-12/msg00000.html |
| 23 |
> |
| 24 |
> [2] |
| 25 |
> http://www.chiark.greenend.org.uk/~cjwatson/blog/cve-2015-1336.html |
| 26 |
> |
| 27 |
> [3] |
| 28 |
> https://wiki.gentoo.org/wiki/Security_Handbook/File_permissions |
| 29 |
> |
| 30 |
|
| 31 |
I suppose you could automatically run a shell script in the post |
| 32 |
installation phase to fix the permissions. I need to do the opposite |
| 33 |
for one of the sendmail binaries. |
| 34 |
|
| 35 |
-- |
| 36 |
Your life is like a penny. You're going to lose it. The question is: |
| 37 |
How do |
| 38 |
you spend it? |
| 39 |
|
| 40 |
John Covici |
| 41 |
covici@××××××××××.com |
Archives