SUID binaries in the repo
Josh Bressers
bressers at redhat.com
Fri Oct 26 11:47:31 UTC 2007
> Thorsten Leemhuis wrote:
> > But we have other packages (I had two and still have one) that entered
> > the repo with SUID binaries that were never reviewed by anyone. Do we
> > care? Do we trust packagers (¹) enough to decide?
>
> We should definitely make sure they get looked-at. Copying bressers,
> who might be able to help with drafting a plan.
>
Yes, this should get some attention from someone. There is no reason to
allow any app that wants it to have suid. Things like consolehelper exist
for just this reason.
Within Red Hat I care for a suid whitelist. If it's not on the list, I
have to be convinced that it should be. It works rather well honestly. It
would probably make sense to give this task to the Fedora Security Response
Team as it will be them cleaning up the mess after a "suid gone wild"
event.
--
JB
More information about the fedora-devel-list
mailing list