Mail archive

Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible

From: Orion <>
Date: Fri, 29 May 2015 11:10:35 -0700

# Note
Trying to get rid of SUID/SGID executables from alpine-mini most likely
will intruduce more complexity. I concede that this may not be worth the
effort for the alpine-mini ISO as an install medium but as installation
options, like choosing between between dropbear and openssh for your
ssh daemon.

On Fri, 29 May 2015 11:42:31 -0500
William Pitcock <> wrote:

> As far as I know there's no SUID/SGID enabled packages in alpine-mini
> other than bbsuid which we install to proxy only the SUID-needing bits
> of busybox.

While most likely that is true there are programs that are symbolically
linked to /bin/bbsuid and don't strictly have to be.

* /bin/ping
* /bin/ping6
* /usr/bin/crontab
* /usr/bin/passwd
* /usr/bin/traceroute

# network tools
Could the need for /bin/bbsuid be possibly removed by using extended
file capabilities?

# passwd
The openwall project provides a shadow file mechanism that removes the
need for suid bit on passwd.


I've successfully compiled tcb on Alpine however I've not had the
chance to fully test it.

# cron
There are a variety of cron daemons out there and I believe one of them
provides a more fine grained controlled cron system. I think bcron may
be one.



Received on Fri May 29 2015 - 11:10:35 GMT