X-Original-To: alpine-devel@mail.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id 7871EDC4388; Thu, 28 May 2015 06:09:33 +0000 (UTC) Received: from ncopa-desktop.alpinelinux.org (unknown [79.160.13.133]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: n@tanael.org) by mail.alpinelinux.org (Postfix) with ESMTPSA id 8B644DC140D; Thu, 28 May 2015 06:09:32 +0000 (UTC) Date: Thu, 28 May 2015 08:09:29 +0200 From: Natanael Copa To: Isaac Dunham Cc: William Pitcock , alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible Message-ID: <20150528080929.7d2ac8e5@ncopa-desktop.alpinelinux.org> In-Reply-To: <20150526134643.GA1825@newbook> References: <20150526134643.GA1825@newbook> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-alpine-linux-musl) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP On Tue, 26 May 2015 06:46:44 -0700 Isaac Dunham wrote: > On Tue, May 26, 2015 at 04:32:01AM -0500, William Pitcock wrote: > > Hello, > > > > I would like to see a general reduction of SUID binaries where > > possible. For example, a lot of APKBUILDs have options=suid when > > there's probably no real reason for it. > > > > Examples include ... > > > > main/apache2 > > main/atop > > Perhaps a workaround for grsec limits on sysfs/procfs permissions? There should be a boot option for disabling sysfs protection and there is a group 'readproc' where you can put users who should have read permissions to /proc. > > > main/email2trac > > main/fping > > main/fuse > > main/haserl > > main/krb5 > > main/mailx > > main/man (i have no idea why you need SUID to view manpages???) > > On Debian, this is an install-time choice: suid allows caching manpages > in "catdoc" (preformatted text) format. If we want this feature, then we could probably probably generate the catdocs with a apk install trigger? Then the catdocs would be generated at install time of package. > > main/mate-applets (why would we ever give a GUI defacto root???) > > Yikes. > I'd guess this might be the same as atop. > > > main/nagios-plugins > > main/vte > > Something to do with ptys, I'm not sure exactly what. > > > main/xscreensaver > > A screensaver needs to be able to lock the screen, and presumably > also require a password. I think Williams proposal is good. Look over why the suid is needed and check if there are better ways to do it. If there is not, then document it in the APKBUILD. -nc --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---