X-Original-To: alpine-devel@mail.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id E3F4BDC07B3 for ; Fri, 29 May 2015 18:10:47 +0000 (UTC) Received: from mail-pa0-f44.google.com (mail-pa0-f44.google.com [209.85.220.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id AC96DDC07B2 for ; Fri, 29 May 2015 18:10:42 +0000 (UTC) Received: by pabru16 with SMTP id ru16so65852002pab.1 for ; Fri, 29 May 2015 11:10:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-type; bh=S5vHSXHuQuX4ApRbxTAFBPfpq1mCDfn0DPlOTMLeR0Y=; b=HkaqsHdPaFMAgP6KgkeFcNJIrD51Mc33xV5OO37PGceHcXDs9jukvzqlCFqAZw1aPW oKCDcWpsApgMOzG84aIiZZ0skFEfVWEgIPJZ+2vhHCwKLg1sssilM9vXtfLHWTXi7cQX zROrdE3OLOzlyfdJpIT7CkUlNfE2u2zlXcJZRMNgxkG4ZldA7fS+cvINzAwoMZgjxPri dfombeBsQd6O1rLbLX96SEJ0e3jIqJf0xBXLkCEEZ3f6+OZdBOxWQbZqLEtsaF+n7X5b aHYDuOvvGNqV6eGapt4qGBZi0UcJSpSucD1zRFkzgMhnicXxWMjRSaT0LQbJbIzcDOa3 FFMg== X-Received: by 10.70.48.68 with SMTP id j4mr17099556pdn.111.1432923041690; Fri, 29 May 2015 11:10:41 -0700 (PDT) Received: from twinpeaks.my.domain ([74.82.134.59]) by mx.google.com with ESMTPSA id do16sm6282340pac.15.2015.05.29.11.10.40 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 29 May 2015 11:10:40 -0700 (PDT) Date: Fri, 29 May 2015 11:10:35 -0700 From: Orion To: alpine-devel@lists.alpinelinux.org Cc: William Pitcock Subject: Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible Message-ID: <20150529111035.0f06eb3e@twinpeaks.my.domain> In-Reply-To: References: <20150527131901.790405cc@twinpeaks.my.domain> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-alpine-linux-musl) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/7VlsQ6Ivk3AY=7j9D95Hqwk"; protocol="application/pgp-signature" X-Virus-Scanned: ClamAV using ClamSMTP --Sig_/7VlsQ6Ivk3AY=7j9D95Hqwk Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable # Note Trying to get rid of SUID/SGID executables from alpine-mini most likely will intruduce more complexity. I concede that this may not be worth the effort for the alpine-mini ISO as an install medium but as installation options, like choosing between between dropbear and openssh for your ssh daemon. On Fri, 29 May 2015 11:42:31 -0500 William Pitcock wrote: > As far as I know there's no SUID/SGID enabled packages in alpine-mini > other than bbsuid which we install to proxy only the SUID-needing bits > of busybox. While most likely that is true there are programs that are symbolically linked to /bin/bbsuid and don't strictly have to be. * /bin/ping * /bin/ping6 * /usr/bin/crontab * /usr/bin/passwd * /usr/bin/traceroute # network tools Could the need for /bin/bbsuid be possibly removed by using extended file capabilities? # passwd The openwall project provides a shadow file mechanism that removes the need for suid bit on passwd.=20 * http://openwall.com/tcb/ I've successfully compiled tcb on Alpine however I've not had the chance to fully test it. # cron There are a variety of cron daemons out there and I believe one of them provides a more fine grained controlled cron system. I think bcron may be one. * http://untroubled.org/bcron/ --=20 keybase.io/systmkor --Sig_/7VlsQ6Ivk3AY=7j9D95Hqwk Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVaKubAAoJEPM7NuFpB6Q+UaYP/RXpz/mUS74wqQn3YmwJwT+K CN3rvkPX2lcBn90JevkskxsdggfH/6BikI4TupEEO7Q2ZoRYcVDGN4Ku5FZhabAX kcGOlo31O4vzltTjRC6ZE88OuihcwuTpZSyqrORkj98p+jbbqUcCFC8HLJveZwkU 30tSwifJWn79Tlai//ndCLquNmHDabZKlKaLB5OHMLcLYY+BNhR5XBn5iEvDya4C nQr06DB5rpea9wU0pGv5+xyU3A8CAofHv8hNGX1o1/ntDxdCy8Kl9f0IduGKRzsB oRq1JyPu+J3WjVgMLfN4NacFDBH+x7PFMKugAE0MSdXmwEtGM2vBP2E8XzmbShT8 7jxBEg99CyEcnqQPQ0VZaaCq/mFg2Ny/wp+mOg/2DfdSbWa5bdZXhD/NEWQTv2QK z7WwUSqyGVt3yJ+2OOU0r54I2jdWg+ZGUE1QtPqFFtGhoD3MVyDcmfxfPUOqw4oW zJQ/R7jfxrjXQBJXNX45AR4BmYKO/I13lpzt1YC445WmUHFTO6VHuo6zi231TRaJ 1YSj9xewyR1OHT36og/SyJXJ4/9Pd9U1sxADQ3tEbARF+3TVYpoB+/9bMKuSVTyQ 3ZmlD2mzNsK0/qy/zJuWHuDfNftHB17p/o27lwBTWGCIdlMTRUP1rpdmhIJ20MU4 w8zuVl2SvCLtIzCdALj3 =6m4u -----END PGP SIGNATURE----- --Sig_/7VlsQ6Ivk3AY=7j9D95Hqwk-- --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---