(forw) Bug#298060: Please don't install login as setuid root
Security and release teams, may I have your advice about this suggestion?
As you may know, I currently act as maintainer for the shadow package,
but I'm also aware of my own weaknesses when it comes at security (and
security-related) issues so I prefer getting the advice of more
Given that installing login non setuid has been blessed for Ubuntu,
I'm inclined to follow the suggestion, but doing so close to a release
is maybe not wise.....so I'm seeking for advices..:-)
----- Forwarded message from Martin Pitt <email@example.com> -----
Subject: Bug#298060: Please don't install login as setuid root
Reply-To: Martin Pitt <firstname.lastname@example.org>, email@example.com
Date: Fri, 4 Mar 2005 12:39:11 +0100
From: Martin Pitt <firstname.lastname@example.org>
To: Debian Bug Tracking System <email@example.com>
/bin/login is currently installed setuid root, which is absolutely not
necessary and only a potential security threat. In Ubuntu we install
it as 0755 for ages now without any problems.
Trivial patch, but for the record:
Please consider making this change for Debian, too.
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org
----- End forwarded message -----