Matt Zimmerman wrote: > On Fri, Aug 01, 2003 at 11:26:57AM -0400, Stephen Frost wrote: > > > * Matt Zimmerman (mdz@debian.org) wrote: > > > I absolutely support this idea. All set[ug]id setups should be reviewed > > > before they go in the archive, and I volunteer to do the review (though I > > > hope that others will help). Does this need a proposal to go into policy > > > with the same force as the existing pre-depends verbiage? > > > > It probably should. I'd be willing to say we might want a seperate list > > for this too. I'm willing to help with the review but I tend to skim > > d-d.. > > I think debian-security would be fine, maybe with a special Subject tag. Here's a draft policy proposal. If this looks ok I'll submit it to the policy group. Proposal: [DRAFT] require peer review for setuid and setgid program introduction Setuid and setgid programs are one of the main causes of security holes and DSA's in Debian. Often these holes can be spotted easily with a simple review. Sometimes setuid/gid programs can be modified in fairly simple ways to not need these dangerous permissions at all. A few well-trained eyes looking over a package before it goes into the distribution and becomes a security risk can make all the difference. So, I propose that any new setuid or setgid programs should be reviewed by a team of interested people before being put into the distribution. In discussions on debian-devel, we agreed this was a good idea, and that debian-security is the appropriate list for these reviews. The reviewers will be whoever is interested, which currently includes at least one member of the security team, and one of our most prolific security auditors. Note the paralell with the existing requirement that essential packages be discussed on debian-devel. --- policy.sgml.orig 2003-08-01 13:40:51.000000000 -0400 +++ policy.sgml 2003-08-01 13:45:24.000000000 -0400 @@ -7104,6 +7104,14 @@ execute them. </p> + <p> + Since setuid and setgid programs are often a security rick, + you should not add any new setuid or setgid programs to + the distribution before this has been discussed on the + <em>debian-security</em> mailing list and a consensus about + doing that has been reached. + </p> + <p> It is possible to arrange that the system administrator can reconfigure the package to correspond to their local -- see shy jo
Attachment:
pgpKXaSIQ2Mk7.pgp
Description: PGP signature