X-Original-To: alpine-devel@mail.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id ED21CDC0C68 for ; Tue, 26 May 2015 13:46:41 +0000 (UTC) Received: from mail-pa0-f51.google.com (mail-pa0-f51.google.com [209.85.220.51]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id AB782DC0409 for ; Tue, 26 May 2015 13:46:36 +0000 (UTC) Received: by pabru16 with SMTP id ru16so93303861pab.1 for ; Tue, 26 May 2015 06:46:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=Y0mLa7Ya4jlaB/EnF42nON0ogkW8UFRuZiROEsli+3k=; b=RM8JIB871Pa8brDDaVc2h3B2UBLYy2qr87oInmvWA7HX9RN5wvvRd5zlX7RHO034kN dZNsCvDEWJgUf8ufGfelRMWcoGepaoJ1LHLT8Orp1rLj5Wz1aTb+KOM2HSqBvFQVF4h5 Jv4CsuT/VHDoB/NqeHLilz/9n2lN+cfC7qd6kLt51ijULAlY0JTOR/QLBA1oNlhGyvE+ hpAIXxH10O0+T+4dTQMtafoEYCExAo0UU46iF1wGkB+yUX+M4oN/5lL5ttxOPrfYKhH3 BEHXBh20/Q395VBa2hrYpdOW2mnWf59lO4zcJ4i30wYNbYV8t1Fsb+xAfWJ815CO6VlZ SUFA== X-Received: by 10.66.153.173 with SMTP id vh13mr45773930pab.130.1432647995365; Tue, 26 May 2015 06:46:35 -0700 (PDT) Received: from newbook ([50.0.225.244]) by mx.google.com with ESMTPSA id ie3sm13155629pbb.49.2015.05.26.06.46.33 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 May 2015 06:46:34 -0700 (PDT) Date: Tue, 26 May 2015 06:46:44 -0700 From: Isaac Dunham To: William Pitcock Cc: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible Message-ID: <20150526134643.GA1825@newbook> References: X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-Virus-Scanned: ClamAV using ClamSMTP On Tue, May 26, 2015 at 04:32:01AM -0500, William Pitcock wrote: > Hello, > > I would like to see a general reduction of SUID binaries where > possible. For example, a lot of APKBUILDs have options=suid when > there's probably no real reason for it. > > Examples include ... > > main/apache2 > main/atop Perhaps a workaround for grsec limits on sysfs/procfs permissions? > main/email2trac > main/fping > main/fuse > main/haserl > main/krb5 > main/mailx > main/man (i have no idea why you need SUID to view manpages???) On Debian, this is an install-time choice: suid allows caching manpages in "catdoc" (preformatted text) format. > main/mate-applets (why would we ever give a GUI defacto root???) Yikes. I'd guess this might be the same as atop. > main/nagios-plugins > main/vte Something to do with ptys, I'm not sure exactly what. > main/xscreensaver A screensaver needs to be able to lock the screen, and presumably also require a password. --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---