On Tue, 26 May 2015 04:32:01 -0500
William Pitcock <nenolod_at_dereferenced.org> wrote:
> I would like to see a general reduction of SUID binaries where
> possible. For example, a lot of APKBUILDs have options=suid when
> there's probably no real reason for it.
yes. i'd love to clean up this.
> Examples include ...
> main/man (i have no idea why you need SUID to view manpages???)
lets purge it. mdoc-ml is there. i think there is also a mandb or
something from GNU.
> main/mate-applets (why would we ever give a GUI defacto root???)
I suspect many of them needs major refactoring for fixing it properly.
For example, kernel now has support for icmp echo without root, but i
have not been able to make it work. you need refactor the ping applications.
IIRC fping tries open the socket with SOCK_DGRAM and fall back to
SOCK_RAW (which requires root). I think this works on OSX, but to make
it work on linux you need refactor lots of other stuff too.
> We should really investigate why these packages need suid and then fix
> the problems. I guess they want read or write access to some
> filesystem path that is normally hidden. In this case, we should fix
> the filesystem so that we're not hiding junk we don't need to.
> Security by obscurity isn't.
Yes. we should try fix as many as possible.
> Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
> Help: alpine-devel+help_at_lists.alpinelinux.org
Received on Tue May 26 2015 - 13:55:37 UTC