On Tue, Apr 28, 1998 at 04:50:45PM +0200, Thomas Roessler wrote: > First, the Debian Policy should be enhanced by a paragraph > on suid binaries. The policy should emphasize the least > privilege principle. It should require the use of > suidmanager when installing scripts suid root. > > Further, the policy should require maintainers to tag bug > reports about programs running suid root "critical". (You > may also consider to add an option to the bug program > which tags a bug report as a security problem, and thus > "critical". This is also interesting for network programs > which have security breaches and/or denial of service > vulnerabilities.) I thought we already addressed this somewhere, though if true it probably needs to me documented in a more conspicuous place. IIRC: root privilege exploits are severity "critical" user privilege exploits are severity "grave" denial-of-service attacks are severity "important" -- G. Branden Robinson | Measure with micrometer, Purdue University | mark with chalk, branden@purdue.edu | cut with axe, http://www.ecn.purdue.edu/~branden/ | hope like hell.
Attachment:
pgpWez8MaJFpK.pgp
Description: PGP signature