X-Original-To: alpine-devel@mail.alpinelinux.org
Delivered-To: alpine-devel@mail.alpinelinux.org
Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1])
	by mail.alpinelinux.org (Postfix) with ESMTP id BB943DC1DB8
	for <alpine-devel@mail.alpinelinux.org>; Thu, 28 May 2015 01:15:29 +0000 (UTC)
Received: from mail-pa0-f45.google.com (mail-pa0-f45.google.com [209.85.220.45])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mail.alpinelinux.org (Postfix) with ESMTPS id 80C14DC13E9
	for <alpine-devel@lists.alpinelinux.org>; Thu, 28 May 2015 01:15:24 +0000 (UTC)
Received: by paza2 with SMTP id a2so10664889paz.3
        for <alpine-devel@lists.alpinelinux.org>; Wed, 27 May 2015 18:15:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=date:from:to:subject:message-id:in-reply-to:references:mime-version
         :content-type;
        bh=onm775D/uPx/aK7bpDCwqgw97LKcCQa9FKj7A8WWXx0=;
        b=oEuqSaE1dhDWZOX8JJnCYaqTEhiT+u3BZWht6IjBLy166TW6dCqKynN2/MdA0lP/S7
         fOcJM6kaCoS20lE37Jt5ekEb4BrWo9t6WamGtHI28Xztn0k9lFl5qMdfZtUF8wMnQemg
         IXbRoZptvu3hAC+oRur3Y3ZC/15M9sOkDhL/Koz63B17ghjgtmiUsAK43gFa8VmGJbEn
         K5Eg0r4Dv0okulDhdcEgLmV/B9rAaRxuzCeRrskaQFJi6Ll++dr/6ip7HLz5YXVvOlRe
         3E3OyoGDsvXOHhn4jlqUr/aNjJjekhihgCNsgg2uGzT8T5o0+bXGN1gi2lgB4oDJ0rEA
         htZg==
X-Received: by 10.68.69.39 with SMTP id b7mr371075pbu.35.1432775723418;
        Wed, 27 May 2015 18:15:23 -0700 (PDT)
Received: from twinpeaks.my.domain ([74.82.134.59])
        by mx.google.com with ESMTPSA id dd3sm387460pad.45.2015.05.27.18.15.22
        for <alpine-devel@lists.alpinelinux.org>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 27 May 2015 18:15:22 -0700 (PDT)
Date: Wed, 27 May 2015 18:15:17 -0700
From: Orion <systmkor@gmail.com>
To: alpine-devel@lists.alpinelinux.org
Subject: Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as
 much as possible
Message-ID: <20150527181517.6b9bd422@twinpeaks.my.domain>
In-Reply-To: <5564D539.1050102@exs-elm.ru>
References: <CA+T2pCFTMLEuZjsYCbXVK7GEG3v0S9EvP5FkbboS+mKRK9_0yA@mail.gmail.com>
	<20150526134643.GA1825@newbook>
	<5564D539.1050102@exs-elm.ru>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-alpine-linux-musl)
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 boundary="Sig_/cxtyw3IESq88Svg/avayaZy"; protocol="application/pgp-signature"
X-Virus-Scanned: ClamAV using ClamSMTP

--Sig_/cxtyw3IESq88Svg/avayaZy
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

On Tue, 26 May 2015 23:19:05 +0300
eleksir <eleksir@exs-elm.ru> wrote:

> Sure. Let's remove suid from sudo and su. It will be clever joke when=20
> you try to switch to root and fail.

Well with certain roles within a grsec policy that may make sense. :P
For example if you wanted to do some malware sandbox testing.
=20
> Go ahead you security freak, remove all suid bits and patch
> kernel/libc to remove all roots of this suid evil.

https://imgur.com/Hej4ZKh

> C'mon people, stop already this talks about "cleaning" system. Submit=20
> patches, make upstream (not distro maintainers) accept them.

As an end-goal I agree. I think we should try to push these patches back
up-stream to reduce the work distro maintainers need to do. That said
many of these developers don't care about security or they just don't
want to have to change.=20

To help push various packages following the 'principle of least
privilege' we should

1. Build working examples on Alpine
2. Automate or simplify this process
3. Communicate with and push to upstream developers

--=20
keybase.io/systmkor

--Sig_/cxtyw3IESq88Svg/avayaZy
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVZmwlAAoJEPM7NuFpB6Q+nkcP/RhaZx/eKcV4nB8PRv9UE051
calnT0I5dAkYz7VqiggbojdrX8B0oypjmy1784fO3/XW+9xvZkmlgG52yBcYMDbA
TLIEiKN1YliQAdp6ZVdGpCwxwHv0aRaazXpMQW8XSD938xre+S5T7jqRb2Kt2rAX
ilbUiCDwG7TmkRpoBfxZ9VIbKZwLdztQ2Vkg44BQMZLXEkmELg6kXK0poxul4xm0
i1AUvVOlSuGLJq0wwDZ7j6ct3hnZzJAGDE53hHcMT1caZvm/EhSKHEWmWX0GFWAY
Du58RtwQfmlXthZx22LwiI6L9kFUTXWrt+cBOZ+sS9qLNwEj6sIgcIty24YtycYe
dlGkCDYXmpTXGAwstECOSr45ml11JO42jKi4vxoF6VkjwXUxuUTBRXxzBcC3MR+u
SW36magaK8e9sI5IqYt1mmRO08hBNq+dOQEAJTI8DvYsNljDPlhjnouYTU/iWPt+
Hr70fuWdQqoGTSxbzjn1lrhl8a3FuCAwOOZkyaoiJ+tmztkz61bpol7HyJczLAdY
imjbKbkUYOy9fGVcIfNpqDTaM5WjQ2YkYkCgemyXpDRUWXy4x+rNBKvjie0wMBJr
VC/BWZkkiFYnyI6H5OQcZEsbLFZYAumIvFWPDB3sH4PpE7BrtcE8mUdBbDPUVdk3
Q6/UwnivZJHC2F8M0Ot8
=t342
-----END PGP SIGNATURE-----

--Sig_/cxtyw3IESq88Svg/avayaZy--


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---