[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    Re: [gentoo-dev] [SECURITY] Minimizing the suid usage
From:       "Alon Bar-Lev" <alonbl () gentoo ! org>
Date:       2008-03-24 13:55:48
Message-ID: 9e0cf0bf0803240655g6f0ab2dbh3782fd63222287b8 () mail ! gmail ! com
[Download RAW message or body]

On 3/24/08, Mike Frysinger <vapier@gentoo.org> wrote:
>  how much do we want to help the user ?  if they have USE=filecaps, then dont
>  perform any checking ?  we'll need a kernel with file capabilities turned on,
>  otherwise the prog wont work unless it's setuid ... so do we perform checking
>  and drop the setuid bit on the post sly ?  i'd prefer we just make the
>  filecaps desc verbose: dont set this unless you have new enough kernel with
>  options enabled, otherwise things may stop working properly as non-root.

I also prefer descriptive warning and not runtime checks. Worse case
scenario, system will be usable for root only. root can remove this
USE flag and emerge --update --deep --newuse world.

Alon.
-- 
gentoo-dev@lists.gentoo.org mailing list

[prev in list] [next in list] [prev in thread] [next in thread]