Re: setuid/setgid binaries contained in the Debian repository.
On Sun, Aug 03, 2003 at 10:04:09PM -0500, Manoj Srivastava wrote:
> I can easily code an entry for katie and friends that takes a new
> package, and marks up the ones with setgid bits set -- and the ftp
> maintainers do not create override entries until they see a consensus
> develop, or the security team says ok.
You could, but it wouldn't be useful as a filter, because it would not
notice packages which set the permissions in postinst (as does every package
with a dynamic uid).
Note that this is NOT what was proposed. While I think this might be a
useful methodology in the future, I do not think that it makes sense until
the review process has established itself in a less fascist manner.
> Are you saying that the review was not discussed as a gating
> mechanism? If that is the case, then I admit I, for one, was fooled.
>
> Message-ID: <[🔎] 20030801151852.GB15502@alcor.net>
> Message-ID: <[🔎] 20030801153312.GA23610@uk.intasys.com>
> >> All set[ug]id setups should be reviewed before they go into the
> >> archive.
I do not understand how you logically reach "gating mechanism" from my
"should" above. None of the other "should" statements in the policy manual
are interpreted this way. How did I fool you?
--
- mdz
Reply to: