Mail archive
alpine-devel

Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible

From: Natanael Copa <ncopa_at_alpinelinux.org>
Date: Thu, 28 May 2015 08:09:29 +0200

On Tue, 26 May 2015 06:46:44 -0700
Isaac Dunham <ibid.ag_at_gmail.com> wrote:

> On Tue, May 26, 2015 at 04:32:01AM -0500, William Pitcock wrote:
> > Hello,
> >
> > I would like to see a general reduction of SUID binaries where
> > possible. For example, a lot of APKBUILDs have options=suid when
> > there's probably no real reason for it.
> >
> > Examples include ...
> >
> > main/apache2
> > main/atop
>
> Perhaps a workaround for grsec limits on sysfs/procfs permissions?

There should be a boot option for disabling sysfs protection and there
is a group 'readproc' where you can put users who should have read
permissions to /proc.

>
> > main/email2trac
> > main/fping
> > main/fuse
> > main/haserl
> > main/krb5
> > main/mailx
> > main/man (i have no idea why you need SUID to view manpages???)
>
> On Debian, this is an install-time choice: suid allows caching manpages
> in "catdoc" (preformatted text) format.

If we want this feature, then we could probably probably generate the
catdocs with a apk install trigger? Then the catdocs would be generated
at install time of package.
 
> > main/mate-applets (why would we ever give a GUI defacto root???)
>
> Yikes.
> I'd guess this might be the same as atop.
>
> > main/nagios-plugins
> > main/vte
>
> Something to do with ptys, I'm not sure exactly what.
>
> > main/xscreensaver
>
> A screensaver needs to be able to lock the screen, and presumably
> also require a password.

I think Williams proposal is good. Look over why the suid is needed and
check if there are better ways to do it. If there is not, then document
it in the APKBUILD.

-nc


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Thu May 28 2015 - 08:09:29 UTC