Mail archive
alpine-devel

Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible

From: Isaac Dunham <ibid.ag_at_gmail.com>
Date: Tue, 26 May 2015 06:46:44 -0700

On Tue, May 26, 2015 at 04:32:01AM -0500, William Pitcock wrote:
> Hello,
>
> I would like to see a general reduction of SUID binaries where
> possible. For example, a lot of APKBUILDs have options=suid when
> there's probably no real reason for it.
>
> Examples include ...
>
> main/apache2
> main/atop

Perhaps a workaround for grsec limits on sysfs/procfs permissions?

> main/email2trac
> main/fping
> main/fuse
> main/haserl
> main/krb5
> main/mailx
> main/man (i have no idea why you need SUID to view manpages???)

On Debian, this is an install-time choice: suid allows caching manpages
in "catdoc" (preformatted text) format.

> main/mate-applets (why would we ever give a GUI defacto root???)

Yikes.
I'd guess this might be the same as atop.

> main/nagios-plugins
> main/vte

Something to do with ptys, I'm not sure exactly what.

> main/xscreensaver

A screensaver needs to be able to lock the screen, and presumably
also require a password.


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Tue May 26 2015 - 06:46:44 GMT