X-Original-To: alpine-devel@mail.alpinelinux.org
Delivered-To: alpine-devel@mail.alpinelinux.org
Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1])
	by mail.alpinelinux.org (Postfix) with ESMTP id 5B01BDC07AA
	for <alpine-devel@mail.alpinelinux.org>; Tue, 26 May 2015 09:32:08 +0000 (UTC)
Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mail.alpinelinux.org (Postfix) with ESMTPS id F1BF1DC0234
	for <alpine-devel@lists.alpinelinux.org>; Tue, 26 May 2015 09:32:02 +0000 (UTC)
Received: by wizk4 with SMTP id k4so70480717wiz.1
        for <alpine-devel@lists.alpinelinux.org>; Tue, 26 May 2015 02:32:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:date:message-id:subject:from:to
         :content-type;
        bh=1UwGf0vo1jfqVBYaOlyr0DK0ImrH47BfzPikmA7icrA=;
        b=ZGWoCYh2v5UGnfXSAfTJdZIELxL6QhppetxJGWAJ+Nki4Iurc99817LzbXdmjdXS6E
         T6d+7Crh9bWt7YwtrMv6Fv2qXyPJNJH1r9K5VoBUBHklElJJcnBSeqOidHEUWznP+6RJ
         cNsYpIk/vOUa8cCa/nfwj4o8WXOpsBwn4fPGM3eaKoAL/r8LRHMa07pe4RtyHsaHu5E4
         xEhzyBXiivekdAIidp0raHpatToTDx/s0lzWuSs3YGsNFYbdHki3nH0AUKhgUGMq2TFu
         DeTIjfjKSMfbAMF2kOF3Crg3A7tTBArztLHMVl0ktU8z9/DPxN3lDERCC/BjlE4+4OhT
         Fi9Q==
X-Gm-Message-State: ALoCoQmjQPR7S0AZpWIXJVYuIZxG1Kn4k29KVticJWQArOGV9VEjSHj42QrAzmlD58lStfDyxqYI
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
X-Received: by 10.180.208.99 with SMTP id md3mr39029007wic.34.1432632721074;
 Tue, 26 May 2015 02:32:01 -0700 (PDT)
Received: by 10.180.39.35 with HTTP; Tue, 26 May 2015 02:32:01 -0700 (PDT)
Date: Tue, 26 May 2015 04:32:01 -0500
Message-ID: <CA+T2pCFTMLEuZjsYCbXVK7GEG3v0S9EvP5FkbboS+mKRK9_0yA@mail.gmail.com>
Subject: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible
From: William Pitcock <nenolod@dereferenced.org>
To: alpine-devel@lists.alpinelinux.org
Content-Type: text/plain; charset=UTF-8
X-Virus-Scanned: ClamAV using ClamSMTP

Hello,

I would like to see a general reduction of SUID binaries where
possible.  For example, a lot of APKBUILDs have options=suid when
there's probably no real reason for it.

Examples include ...

    main/apache2
    main/atop
    main/email2trac
    main/fping
    main/fuse
    main/haserl
    main/krb5
    main/mailx
    main/man (i have no idea why you need SUID to view manpages???)
    main/mate-applets (why would we ever give a GUI defacto root???)
    main/nagios-plugins
    main/vte
    main/xscreensaver

We should really investigate why these packages need suid and then fix
the problems.  I guess they want read or write access to some
filesystem path that is normally hidden.  In this case, we should fix
the filesystem so that we're not hiding junk we don't need to.
Security by obscurity isn't.

William


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---