SUID binaries in the repo
Bruno Wolff III
bruno at wolff.to
Fri Oct 26 17:51:16 UTC 2007
On Fri, Oct 26, 2007 at 09:53:24 -0400,
Jesse Keating <jkeating at redhat.com> wrote:
> On Fri, 26 Oct 2007 07:47:31 -0400
> Josh Bressers <bressers at redhat.com> wrote:
>
> > Within Red Hat I care for a suid whitelist. If it's not on the list,
> > I have to be convinced that it should be. It works rather well
> > honestly. It would probably make sense to give this task to the
> > Fedora Security Response Team as it will be them cleaning up the mess
> > after a "suid gone wild" event.
>
> Can you help us draft up a new package review rule that will bring suid
> things to your attention? I think rpmlint may point out suid files, or
> could be made to easily. What's missing is a point of contact or a
> bugzilla keyword or blocker list we set or something.
Note that a patch for capabilities being attached to files is going into
2.6.24 and you should probably have a plan for that. (Even scarier is that
I saw a comment that the nosuid mount parameter would not effect these files;
but that's a different problem than what's being discussed here.)
More information about the fedora-devel-list
mailing list