Re: Bug#27050 (fdutils): A cause for security concern?
On Tue, Jan 19, 1999 at 05:16:01PM -0500, Avery Pennarun wrote:
> When the docs for a setuid program warn you "not to trust its security"
> then be afraid, be very afraid. It shouldn't be automatically setuid in
> Debian until _some_ security-conscious person has audited it carefully.
On a related note, I recently had a relatively grave security concern with
the 'xzx' package (a ZX Spectrum emulator for X) - after it faulted one time
(can't remember what happened - I think it just stopped responding to
closing the window and using 100% CPU), I had a number of things go wrong -
I checked out the binary itself, and found it was suid root!
Now, the postinst (which sets the suid bit) never warned me about this, and
I can also see no reason for it to be suid root - it doesn't appear to give
up root priviledges once started (and contains file dialogs).
I'm not sure whether this violates policy or not (and thus whether to file a
bug against it) - but Policy does not require postinsts using
chmod/suidregister to give message or query, then perhaps it
needs to be added...
--
Robert Donn
Reply to: