Mail archive
alpine-devel

Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible

From: Orion <systmkor_at_gmail.com>
Date: Wed, 27 May 2015 18:15:17 -0700

On Tue, 26 May 2015 23:19:05 +0300
eleksir <eleksir_at_exs-elm.ru> wrote:

> Sure. Let's remove suid from sudo and su. It will be clever joke when
> you try to switch to root and fail.

Well with certain roles within a grsec policy that may make sense. :P
For example if you wanted to do some malware sandbox testing.
 
> Go ahead you security freak, remove all suid bits and patch
> kernel/libc to remove all roots of this suid evil.

https://imgur.com/Hej4ZKh

> C'mon people, stop already this talks about "cleaning" system. Submit
> patches, make upstream (not distro maintainers) accept them.

As an end-goal I agree. I think we should try to push these patches back
up-stream to reduce the work distro maintainers need to do. That said
many of these developers don't care about security or they just don't
want to have to change.

To help push various packages following the 'principle of least
privilege' we should

1. Build working examples on Alpine
2. Automate or simplify this process
3. Communicate with and push to upstream developers

-- 
keybase.io/systmkor




---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Wed May 27 2015 - 18:15:17 UTC