Mail archive
alpine-devel

[alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible

From: William Pitcock <nenolod_at_dereferenced.org>
Date: Tue, 26 May 2015 04:32:01 -0500

Hello,

I would like to see a general reduction of SUID binaries where
possible. For example, a lot of APKBUILDs have options=suid when
there's probably no real reason for it.

Examples include ...

    main/apache2
    main/atop
    main/email2trac
    main/fping
    main/fuse
    main/haserl
    main/krb5
    main/mailx
    main/man (i have no idea why you need SUID to view manpages???)
    main/mate-applets (why would we ever give a GUI defacto root???)
    main/nagios-plugins
    main/vte
    main/xscreensaver

We should really investigate why these packages need suid and then fix
the problems. I guess they want read or write access to some
filesystem path that is normally hidden. In this case, we should fix
the filesystem so that we're not hiding junk we don't need to.
Security by obscurity isn't.

William


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Tue May 26 2015 - 04:32:01 GMT