Re: setuid/setgid binaries contained in the Debian repository.

[Bernd Eckenfels <lists@lina.inka.de>]

On Fri, Aug 01, 2003 at 01:46:48PM -0400, Joey Hess wrote:
> Setuid and setgid programs are one of the main causes of security
> holes and DSA's in Debian.

Hmm.... 

DSA-360:  no  (daemon)
DSA-359:  yes (uid root: hardware access)
DSA-358:  no  (kernel)
DSA-357:  no  (daemon)
DSA-356:  yes (gid games)
DSA-355:  no  (web css)
DSA-354:  yes (gid games)
DSA-353:  no  (daemon, temp file)
DSA-352:  no  (user, temp file)
DSA-351:  no  (web css)
DSA-350:  yes (gid games)
DSA-349:  no  (daemon)
DSA-348:  yes (system root tool exploit)
...

Looking at this statistic, it is clearly visible that most of the exploits
are game related, in fact only one system tool and one hardware accessing
'game' would allow suid root exploits, all others are sgid games.

> A few
> well-trained eyes looking over a package before it goes into the
> distribution and becomes a security risk can make all the difference.

Yes, but I think the eyes should concentrate on non sgid-games first.
Because this might be a realy BIG junk of UGLYNESS one will find there :)

And some of the suid root stuff, like hardware acces might even require
debian to switch to some more sensible kernel setups.

> +        <p>
> +          Since setuid and setgid programs are often a security rick,
> +          you should not add any new setuid or setgid programs to
> +          the distribution before this has been discussed on the
> +          <em>debian-security</em> mailing list and a consensus about
> +          doing that has been reached.
> +        </p>

Do we want to make an sgui games exception here?

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!